7

I've read the following article about SS7 attack: https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf

I have some questions about this kind of attack:

  1. Is SS7 attack can be done through regular home ISDN connection ? (not requiring to be done from within network operator device )

As I understand from article, SS7 attack manage to find IMSI, location (cell location and accurate GPS location) , but:

  1. Although there is this published well article, there is no demonstration or explanation how to enter ss7 network in the first place. How is it done?

  2. There is verint's skylock product which use ss7 attack. https://assets.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf The interesting part is that it is said that it can be done from anywhere in the world becuase of their device are spread. "Worldwide SS7 Hubs: SkyLock global infrastructure consists of SS7 hubs which are spread in various locations around the world. " can anyone explain this ? There is also similar product https://www.thespyphone.com/geolocation-and-surveillance-of-any-phone-worldwide/ what is it actually? How these products get into ss7 ? How can such products be legal?

ransh
  • 515
  • 6
  • 11
  • This should help explain most of what you want to know: https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf Also follow P1Sec talks: http://2014.hackitoergosum.org/slides/day1_Hacking-telco-equipment-The-HLR-HSS-Laurent-Ghigonis-p1sec.pdf / http://www.p1sec.com/corp/training/conferences/ – Ed Daniel May 12 '17 at 16:19
  • The essence of my question is how these attack manage to enter ss7 network in the first place.(before doing all other things) I have edit my question. – ransh May 12 '17 at 21:02

2 Answers2

6

SS7 attacks can't be done via ISDN lines.

In order to attack the SS7 network, the attacker has to be "on the SS7" network. The SS7 network connects telco companies together, but it is not extended to clients. What this means is that the attacker is either has access to the network administrator at a telco company, or the attacker is the network admin at the telco company.

Luckily, SS7 attacks can't be done by default by skiddies. But countries where the admins are not payed very well will pose a significant threat to the whole world. Or countries where the intelligence agency is interested in attacking the another country is also a huge threat.

user2716262
  • 611
  • 3
  • 12
  • Thanks! What about the products I've referenced in the original post above (skylock and the spyphone) , how is it that they suggest ss7 information ? Is it by using their own core network which can communicate any other telco in the world ? And is it legal ? – ransh May 18 '17 at 19:32
  • Both solution gives subscribers access to the SS7 network. In the Verint Skylock, the customer has to install some parts in his network, while in the SpyPhone solution, I think the customer only has to pay and now he has access to their online solution, which already has access to the SS7 network. I don't know how legal this is, as this depends from country to country. Usually these services are sold to governments and similar entities, and not to home users. – user2716262 May 22 '17 at 05:54
1

ISDN in itself is a SS7 network. By buying access to an ISDN connection you are getting into the SS7 network which in terms is PSTN. In short, yes it can be done over ISDN you just need to map and convert regular PSTN traffic into an IP-based sigtran and this is not something new. These devices are there on the internet everywhere. Just search for "isdn pri to sigtran" or "t1 e1 to sigtran". It's really easy.

Learn more about PSTN: https://en.wikipedia.org/wiki/Public_switched_telephone_network

EDIT: if you still not believe me check this reference from a well known sms sender the owner of site know more about mobile networks then you and me that site clearly states that all ss7 traffic flow over isdn : http://www.ozekisms.com/index.php?owpn=592

Jenna
  • 36
  • 2
  • 1
    Please use proper sentence structure in your posts – schroeder Apr 10 '19 at 18:28
  • 1
    Do you have any references for your claim that ISDN is an SS7 network? My quick research shows that they are not he same. – schroeder Apr 10 '19 at 18:32
  • isdn is one of the network element of ss7 if you have one access to single network element you can send other kind of ss7 massage through the network using isdn d channel i mean its known all over that isdn can be used for data massages this include gsm map massages sms etc... – Jenna Apr 12 '19 at 08:00