Scribd
Upload
87 views1 page

Cellular Location Tracking Attacks

This document discusses cellular location tracking attacks using signaling protocols like SS7 and Diameter. It describes how an attacker with access to the SS7 network can query different core network elements like the HLR and MSC to track the location of a target cellphone user down to the accuracy of their cell area or geographical coordinates. It also explains how attackers can exploit the interoperability between SS7 and Diameter networks using Interworking Functions to track LTE users' locations with additional information like IMEI and device details. The document recommends countermeasures like effective SS7 firewalls, Diameter security, and whitelisting to protect user location privacy against such attacks.

Uploaded by

Md Arafat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views1 page

Cellular Location Tracking Attacks

This document discusses cellular location tracking attacks using signaling protocols like SS7 and Diameter. It describes how an attacker with access to the SS7 network can query different core network elements like the HLR and MSC to track the location of a target cellphone user down to the accuracy of their cell area or geographical coordinates. It also explains how attackers can exploit the interoperability between SS7 and Diameter networks using Interworking Functions to track LTE users' locations with additional information like IMEI and device details. The document recommends countermeasures like effective SS7 firewalls, Diameter security, and whitelisting to protect user location privacy against such attacks.

Uploaded by

Md Arafat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Cellular location tracking

attacks using signalling


protocols
Siddharth Rao1, Tuomas Aura1, Dr. Silke Holtmanns2, Dr. Ian Oliver2
1
Department of Computer Science, Aalto University
2
Bell labs - Nokia Networks, Finland

Signaling System no. 7 (SS7) Diameter Protocol


Signaling System No. 7 (SS7) is one of the mobile communication backend pro- 3GPP has standardized the use of Diameter in 4G/LTE core network communica-
tocols mainly used for establishing the roaming interconnectivity across 2G/GSM tion to support mobility, IP Multimedia Subsystem (IMS) and to extend the func-
mobile network operators. Besides roaming, SS7 has enabled a wide range of fa- tionalities of SS7 over an all-IP network. As a relatively new protocol, Diameter
cilities such as Short Message Services (SMS), toll-free numbers, televoting and has a strong support for Authentication - Authorization - Accounting (AAA), en-
Local Number Portability (LNP). It was built during the time when mobile net- cryption of communication traffic and mechanisms to hide the internal topology.
work operators used to be the trusted network of government-owned organizations However, the security and privacy considerations of Diameter fall short to guar-
and the security of the whole network were provided by denying access to external antee the end-user from being tracked [2].
entities. Being a four decades old protocol, SS7 have the following issues:
• Attackers can gain access to the SS7 based core network using other Internet
protocols.
Exploiting the interoperability between SS7 and Diam-
• Once they are inside the core network, they can exploit the routing layer to map eter based core networks
the periphery of the network, scan for open ports and send hostile communica-
tion messages. Most mobile network operators upgrade their network from GSM to LTE gradu-
ally - to avoid service interruption and optimize the return on investment on the
• Since there is no authentication check or any other cryptographic protection infrastructure. Due to this, the current interconnection network contains inhomo-
within the network, the attackers can impersonate as the network internal geneous set-up of nodes that support either SS7 or Diameter. For interoperability
nodes and query for subscriber information from other nodes. reasons with the partners, the edge nodes often have the ability to translate be-
tween Diameter and SS7 protocols, which is done using Interworking Functions
(IWF). In such situations, the attacker can exploit the lack of security measures in
Location tracking attacks using SS7 the interconnections by tracking the location of an LTE cellphone user. Unlike the
SS7 based attacks, here the attacker can gain more fine-grained information such
As shown in figure 1, an attacker with SS7 access can track the location of the as software version, IMEI number, the operating system of their devices along
cellphone users just by having their phone number. The accuracy of the tracked with location tracking up to the granularity of cell area.
location depends on the cellular service procedure and the core network element
queried by the attacker.

Figure 2: An attacker from SS7 core network can track the LTE user’s location
using Interworking Functionalities (IWF).

As shown in the figure 2, the IWF provides an easy way for an attacker to
translate the SS7 based attacks into Diameter location tracking procedures.

Countermeasures
Figure 1: Impersonation of an SS7 attacker as different core network nodes to Deploying the combination of efficient filtering mechanisms and standardized se-
learn the location of the targeted cellphone user curity measures will protect the end user’s location privacy against the attacks
that exploit the signaling protocols.

• Querying the Home Location Register (HLR): By impersonating as Global • Effective SS7 filter/firewall to consider the contextual location of the users.
MSC (GMSC) or Short Message Service Center (SMSC), an attacker can initiate • Implementing NDS/IP security over the Diameter Edge Agents.
either the call set up or SMS delivery procedures to query the HLR for the global • Whitelisting the partners and the protocols used by them.
title of the MSC and IMSI of the target. The MSC service area indicates the
• Regular monitoring and logging of the signaling traffic.
state or county in which the target is currently roaming. The attacker can also
learn about the cell area of the target by misusing the billing platform related It is important to note that these countermeasures has to be done solely from the
procedures. mobile network operators and there is no way that an app or mechanism from
end-user’s side can detect or protect them from such attacks.
• Querying the Mobile Switching Center (MSC): Once the IMSI and global
title of the MSC is known, the attacker can query the MSC by impersonating as
HLR to know the cell area of the target. It is also possible to misuse the emer-
gency call procedures to track the target to the accuracy of his geographical
Publications
coordinates.
[1] S. P Rao, S. Holtmanns, I. Oliver, T. Aura, “We know where you are! - Utilising the telecom core
network for user tracking,” The 8th International Conference on Cyber Conflict - Cycon 2016.
Note: More details on the location tracking attacks can be found in (To appear)
our survey article [1]. [2] S. Holtmanns, S. P Rao, I. Oliver, “User location tracking in LTE networking using the Inter-
working Functionality,” The 15th International IFIP TC6 Networking Conference, (NETWORK-
ING 2016).
[3] S. P Rao, B. T Kotte, S. Holtmanns, “Privacy in LTE networks - Reviewing the security and
privacy considerations in LTE networks”, The 9th EAI International Conference on Mobile Mul-
timedia Communications. (To appear)

Secure Systems Research Group Contact information for comments & improvement ideas: Siddharth Rao
Department of Computer Science Email: [email protected]
School of Science, Aalto University, Finland

You might also like