Home
/
Blog
/

SS7map: SS7 country risk ratings

P1 Security presents SS7map, the first cartography of SS7 International Roaming Infrastructure vulnerabilities, with specific ratings for countries worldwide.

Research
Dec 28, 2014
SS7map: SS7 country risk ratings

Mobile Network Operators rely on a network different from Internet that interconnects operators and other parties, to allow calls to work between operators especially when you are in another country (roaming).
This is what is called the “SS7 network” a.k.a. “International Roaming Infrastructure”, that by it’s nature, transmits confidential customers and operators information.

In SS7map, we are presenting the first cartography of SS7 International Roaming Infrastructure vulnerabilities, to push the industry to react, and show to all of us customers the security level of the infrastructure we are all using.

For decades the SS7 network has been used by Intelligence agencies and various entities to track location of customers and help in the interception of calls and SMS. It’s time to have visibility on which country is taking care of these issues and protecting their population. The SS7 network is obscure, and mapping it is a step towards better security.

Our first release presents SS7 Roaming Infrastructure ratings for countries worldwide. The project is still in an early stage and we have work to do to offer a precise vision, but for the first time there is a public worldwide view on the security of this vital core network.

ss7map_screenshot

SS7map Ratings

SS7map ratings are separated in 3 categories:

  • Privacy Leaks: How much the operators of a given country are leaking out subscriber privacy data such as location of their subscribers to anyone on the SS7 network.
    Any operator and many company offering location / SMS services can gather these informations.
  • Network Exposure: Network Elements exposed and security mechanism implemented by operators of a given country. It shows the attack surface of the Telecom Network of a country from the SS7 perspective.
  • Global risk: This combines Privacy Leaks and Network Exposure, giving more importance to Privacy Leaks.

The country ratings for these 3 categories are showed on the SS7map website main page by colors on the map.

On the per-country pages we show also subscores for Privacy Leaks and Network Exposure, explained below.

Privacy Leaks

In Privacy Leaks we regroup leaks of customers information of all operators in a country:

  • Subscriber location leak
  • Subscriber private informations (identifiers, cryptographic keys, postpaid/prepaid status)
  • Subscriber communications confidentiality (decryption of SMS/calls using known attacks)

Gathering privacy related informations on the SS7 Network is mainly done by sending SS7 Mobile Application Part (MAP) messages. They are numerous SS7 MAP messages related to privacy, as show on this diagram:

ss7map_privacyleak_diagram

The answers from the operators of a particular country are processed and then a score is attributed following this formula:

privacyleak =  150 * leak_locationcell+ 100 * leak_privateinfos+  60 * net_homerouting+  50 * leak_authvectors+  40 * leak_subscriberplan+  10 * net_homerouting_defeated_ati+  10 * net_homerouting_defeated_psi+  10 * leak_location

We are using the following subscores for Privacy Leaks rating:

MAP messages vulnerabilities discloses precise subscriber location (200m) (leak_locationcell)

How operators in the country are protecting subscribers precise street-level (200m) location from other countries and external parties ?

This score is based on answers to the following SS7 MAP messages:

  • ATI: Any-Time-Interrogation, to gather MSC and Cell-ID from HLR
  • PSI: Provide-Subscriber-Information, to gather Cell-ID directly from MSC

Number of different MAP messages vulnerabilities disclosing subscriber private information (leak_privateinfos)

How operators in the country are protecting subscribers private unique identifier (IMSI) ?

Gathering IMSI allows attackers to gather further informations on a subscriber.

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather IMSI from HLR
  • SRI: Send-Routing-Info, to gather IMSI from HLR

Number of different MAP messages vulnerabilities disclosing subscriber location (leak_location)

How operators in the country are protecting subscribers city-level (50km) location from other countries and external parties ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather MSC from HLR
  • SRI: Send-Routing-Info, to gather MSC from HLR
  • ATI: Any-Time-Interrogation, to gather MSC from HLR

Leak of subscriber keys (Network Impersonation possible) (leak_authvectors)

How operators in the country are protecting subscribers against decryption of calls and SMS by attackers ?

This score is based on answers to the following SS7 MAP messages:

  • SAI: Send-Authentication-Info, to gather Authentication vectors from HLR

Leak of prepaid/postpaid subscriber status (leak_subscriberplan)

How operators in the country are protecting informations about subscriber account, like the postpaid/prepaid options of the subscription ?

This score is based on answers to the following SS7 MAP messages:

  • INTSS: Interrogate-SS, to gather subscriber plan informations from MSC/VLR

Leak of subscriber location through Home Routing bypass (net_homerouting, net_homerouting_defeated_psi, net_homerouting_defeated_ati)

Are operators in the country using protection mechanism to hide subscriber location from other operators / third-parties ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather informations from HLR
  • ATI: Any-Time-Interrogation, to gather informations from HLR
  • PSI: Provide-Subscriber-Information, to gather informations from MSC

Network Exposure

In Network Exposure our focus is the Core Networks of operators in a country:

  • Attack surface of the Operators (network topology, identification of the network nodes (a.k.a Network Elements)
  • Network misconfigurations allowing attackers to modify data
  • Bypass of Network security mecanisms

We map operators Network Exposure of a country by sending SS7 Transaction Capabilites Application Part (TCAP) and SS7 Mobile Applicaiton Part (MAP) messages, as shown on this diagram:

ss7map_networkexposure_diagram

The formula for Network Exposure calculation is the following:

networkexposure =   200 * net_fingerprint_ne+ 100 * net_homerouting+ 30 * net_homerouting_defeated_ati+ 30 * net_homerouting_defeated_psi+ 50 * leak_location+ 40 * leak_subscriberplan+ 20 * leak_locationcell+ 10 * leak_authvectors+ 10 * net_ne+ 5 * net_directanswer

We are using the following subscores for Network Exposure rating:

Network Elements fingerprint (net_fingerprint_ne)

Are the operators revealing the type of Network Elements they are using ?

This score is based on answers to the following SS7 messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC
  • TCAP, to gather network informations from all Network Elements

SCCP discovery attack surface (net_ne)

Are the operators exposing a lot of Network Elements or disclosing there Network Topology ?

This score is based on answers to the following SS7 messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC
  • TCAP, to gather network informations from all Network Elements

Potential change of prepaid/postpaid status (fraud) (net_directanswer, leak_subscriberplan)

Do the operators allow change on subscriber information from anyone, allowing potential fraud ?

This score is based on answers to the following SS7 MAP messages:

  • INTSS, REGSS: Interrogate-SS, Register-SS, to gather MSC/VLR configuration

Home Routing (net_homerouting)

Are the operators using protection mechanism (Home Routing) to hide customer location and private identifiers ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR

Leak of internal topology through Home Routing bypass (net_homerouting, net_homerouting_defeated_psi, net_homerouting_defeated_ati)

Is Home Routing susceptible to bypass, revealing real Network Topology ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC

Global Risk

Global Risk combines Privacy Leaks and Network Exposure, using the following formula:

globalrisk =  5 * privacyleak+ 1 * networkexposure

These ratings are going to evolve as we continue our research, we will post notifications accordingly.

Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.