2

Wondering if there are info/source code/guide on the SS7 wiretapping part (SMS interception). I had a look on the track any mobile by a German researcher, and on PTsecurity about how the structure works, understood how the location tracking part works.

I read that the script can be written for Linux based machine. Wondering if there was any further in-depth info on this.

The intruder doesn't need sophisticated equipment. We used a common computer with OS Linux and SDK for generating SS7 packets, which is publicly available on the web.

Upon performing one attack using SS7 commands, the intruder is able to perform the rest attacks by using the same methods. For instance, if the intruder managed to determine a subscriber's location, only one step left for SMS interception, transfer of funds etc.

Community
  • 1
Daren
  • 21
  • 2

1 Answers1

2

For a great introduction to the topic of SS7/MAP security (especially SMS Interception), Insinuator has great coverage of the ULIN story, as well as a links to:

  • The Tobias Engel prezo from CCC that covers competitors to the ULIN as well as mentioning that a Linux server would need SS7 Network access as well as SCCP roaming on the target network(s)
  • A link to a SANS paper detailing service-provider countermeasures
  • Discussion of potential intrusion-detect systems for subscribers based on the CryptoPhone

PTSecurty published a paper which mentions a lot of the required elements to perform SMS interception -- https://www.ptsecurity.com/upload/ptcom/SS7-VULNERABILITY-2016-eng.pdf

Using the following 4 resources, I was able to ascertain exactly how all of the elements you described function:

  1. The SS7 Vulnerabilities eBook, available via direct link here -- [PDF] http://www.cellusys.com/?dl_id=14 [PDF]
  2. A book, Mobile Cellular Communication, which covers many of the messages in the section Common channel signalling
  3. The section on SMSC interaction with the VLR in the book, IP Design for Mobile Networks
  4. Chapter 13 on GSM and ANSI-41 Mobile Application Part (MAP) in the book, Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Services -- particularly the discussions around sendRoutingInfoForSM and updateLocation messages
atdre
  • 18,885
  • 6
  • 58
  • 107