Technical explanation of SMS interception attack.

Hello, my friend! ???? Excited to dive into the realm of cutting-edge cyber knowledge with you! ???? Today, let's explore the intriguing world of SMS interception and why it's more crucial than ever.

In our tech-savvy era, you most probably someone who seeks knowledge beyond the ordinary – a real ICT enterprise enthusiast! ???? In this article, we're delving into cyber-attacks targeting not just the usual targets like web apps and operating systems but also diving into the fascinating realms of Industrial Control Systems (SCADA, PLC, DCS) and Wireless Mobile Telecommunication tech (think GSM/LTE). ????

Now, let's spotlight the enigma of SMS interception. ????

Why SMS interception, you ask?

In Azerbaijan, SMS is a top choice for Multi-Factor Authentication (MFA) these days. Despite knowing it has vulnerabilities and can be hacked, people still prefer it for MFA, especially here. Recently, it's been used even more. With SMS interception, it opens doors for:

• Accessing payment services
• Recovering passwords for email and social networks
• Online banking OTP, and more.????

How SMS can be intercepted?

Wondering how SMS can be intercepted? Here are a few ways:

• Duplicate the physical SIM card at the official sales point of the Mobile Operator.
• Intercept radio signals (GSM A5/1) and decrypt messages.
• Infected smartphones with malware.
• Gain access to the SS7 network (IPX). ????

How get access into closed SS7 network?

Accessing a closed SS7 network involves various methods, but it's essential to note the legal and ethical implications:

• Some mobile operators or SS7 service providers might offer temporary access under dedicated business services. ????

• Illegal SS7 service providers can provide you access to IPX network;

• You can find insider or just simple social engineering;
• Hack the network and etc.;

SMS interception attack via SS7 network.

Considering that the malicious actor is quite motivated, he definitely has relevant tools for hacking the network. Let’s go through the details of the attack and clarify from a technical perspective how it is going to happen.

First of all, it is necessary to understand normal SMS call flow and normal messaging between global and local network elements. Take a look at the following diagram:

This is actually a simplified diagram and here is the main query you should focus on is SR?-FOR-SM (Req. & Resp.). "A" subscriber wants (originating) to send an SMS to "B" subscriber (terminating). "A" generates an SMS message that contains MSISDN (Mobile Station International Directory Number) in the header and sends it to the base station. The base station in turn forwards the request to MSC/VLR. The SMSC registered in the MSC is responsible for handling the request and the MSC generates MAP protocol message - MO-Forward-SM. Now an interesting part. SMSC doesn’t know what location of "B" is, it generates an SRI-For-SM (Send-Routing-Info-For-SM) message and sends it to HLR. HLR looks up into its database and returns a SRI-For-SM response to the requesting SMSC. Response on MAP (it is a network protocol) level includes the following:

1. Point code (some kind of IP address) of MSC/VLR serving the "B";
2. IMSI of "B";

After the receipt of the SRI-For-SM response – the requesting SMSC would use an MTForward-SM message to send the SMS to the MSC/VLR currently serving the terminating subscriber.

This is a normal SMS call flow. In order to hijack the normal process and for successful interception we need at least the following:

1. IMSI of target subscriber;
2. Address of Serving MSC/VLR;
3. Address of subscriber’s HLR;
4. Fake MSC/VLR.

You can get all the above data in one attack scenario. In this scenario, the malicious actor needs to pretend as an SMSC wishing to deliver an SMS message to a target subscriber. For delivering the message the “Fake SMSC” requires the address of the MSC/VLR currently serving the target subscriber (our victim).

1. “Fake SMSC” generates an SRI-For-SM request message with the MSISDN of the target subscriber in the header.
2. “Fake SMSC” then sends the SRI-For-SM (request) to the Gateway STP (some kind of border router in IPX network) in the targeting network of the targeting subscriber.
3. To get the address of the HLR – the attacker set Global Title Translations (GTT) in order to place the intruder’s address in the SCCP calling party address field. GTT is some kind of routing in an IP network. SCCP employs a process called Global Title Translation to determine Point Codes from Global Titles so as to instruct MTP on where to route messages. The Gateway STP performs GTT to find the point code and subsystem of the HLR.
4. The message is then routed to the HLR. The HLR queries its database using the MSISDN and the query results will be placed in an SRI-For-SM response and sent to the Gateway STP for routing back to the originator of the SRI-For-SM Query.

As a result of a successful attack we will have a) “IMSI of Subscriber”; b) Address of MSC/VLR currently serving Subscriber; c) Address of HLR in the subscriber’s home network which is necessary to continue with SMS interception attack.

Since we have obtained the necessary data for the attack, let’s do it: ?

1. Create a “Fake MSC/VLR” and update the location of our victim in HLR.
2. Fake MSC sends “Update Location Request” to HLR. After the relevant messaging process, HLR updates the location info of our victim that the serving VLR for him/her is our new “Fake MSC/VLR”;

3. Now all incoming calls and messages to our victim will be sent to Fake MSC. More technically:

a) MO messages will be sent from MSC/VLR to SMSC serving our victim; ?

b) SMSC via SRI-FOR-SM request asks HLR for the location of our victim and HLR responds that a “Fake MSC/VLR” is serving the Network element; ?

c) Finally SMSC sends the message to “Fake MSC/VLR”;

d) Fake MSC responds with the appropriate MT-Forward-SM ACK which close the session;

4. In order to avoid the detection of anomalies by our victim we need to return all settings back, that is register it in original MSC/VLR;

Conclusion

The security vulnerabilities within the SS7 routing protocol, enabling the interception of mobile calls and SMS, have been exposed for quite some time (almost 10 years). Surprisingly, this knowledge hasn't deterred its continued use. Magical risk management perspective might suggest, "No historical event equals no probability, and therefore, no risk." :)

For those newly entering the technology or mobile telecom domain, questions like "What is SS7?", "What is STP?", "What is a point code?" might have crossed your mind. In upcoming technical articles, I'll dive into the SS7 network architecture, covering the answers to these and many more questions. Stay tuned for a deeper exploration into the world of SS7! ?????

#SS7Security #TelecomExploration #CyberSecurity