CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
AliAlwesabi
19 views
30 slides
May 10, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL
Slide Content
© Copyright 2020. All rights Reserved.
Watching the
Watchers
Cathal Mc Daid
@mcdaidc #rc3
Watching the
Watchers
Cathal Mc Daid
@mcdaidc #rc3
© Copyright 2020. All rights Reserved. 2
Surveillance Companies are in the News (again)
Surveillance Companies are in the News (again)
© Copyright 2020. All rights Reserved. 3
•2G/3G Core Network
uses Signalling
System 7 (SS7)
•Main security problem:
–Assumes trust between
mobile phone operators
worldwide
•4G Core Network uses
Diameter Protocol
–Same security problem
exists!
Why are we here
“Age is just a number”. Issue is underlying trust model.
•SS7 (GSM-MAP) –early 90s, Diameter –early 2010s
•2G/3G Core Network
uses Signalling
System 7 (SS7)
•Main security problem:
–Assumes trust between
mobile phone operators
worldwide
•4G Core Network uses
Diameter Protocol
–Same security problem
exists!
Why are we here
“Age is just a number”. Issue is underlying trust model.
•SS7 (GSM-MAP) –early 90s, Diameter –early 2010s
© Copyright 2020. All rights Reserved. 4
1) Surveillance Companies
2) Governments
3) Criminals
•Considerable overlap between sources used by Surveillance
Companies and Governments
•Criminal activity is the smallest activity, some overlap between
sources used by these and Surveillance Companies
Surveillance companies have large resources ($$)
3 Types of Exploiters of Mobile Signalling Networks
1) Surveillance Companies
2) Governments
3) Criminals
•Considerable overlap between sources used by Surveillance
Companies and Governments
•Criminal activity is the smallest activity, some overlap between
sources used by these and Surveillance Companies
Surveillance companies have large resources ($$)
3 Types of Exploiters of Mobile Signalling Networks
© Copyright 2020. All rights Reserved. 5
From 2014, Industry has been recommending ways for Mobile
Operators to protect subscribers/networks
Led by GSM Association (GSMA Association), key outputs:
•2G/3G :GSMA FS.11 Document
•4G: GSMA FS.19 Document
+ Other documents for 5G and GTP
Mobile Operators take this as starting point to find irregular or
suspicious signalling traffic to block =>
•but this does not mean this irregular traffic is malicious
•The vast majority of this is “noise”: misconfigured nodes, local-
specific configs
Malicious traffic is a very small percentage of irregular/suspicious
•It takes a LOT of analysis, experience to attribute malicious-ness
•Easy to make mistakes (see some recent headlines)
How do we know what is Malicious?
0.04 % = Irregular/Suspicious1.37% = Malicious
All SS7
Traffic
From 2014, Industry has been recommending ways for Mobile
Operators to protect subscribers/networks
Led by GSM Association (GSMA Association), key outputs:
•2G/3G :GSMA FS.11 Document
•4G: GSMA FS.19 Document
+ Other documents for 5G and GTP
Mobile Operators take this as starting point to find irregular or
suspicious signalling traffic to block =>
•but this does not mean this irregular traffic is malicious
•The vast majority of this is “noise”: misconfigured nodes, local-
specific configs
Malicious traffic is a very small percentage of irregular/suspicious
•It takes a LOT of analysis, experience to attribute malicious-ness
•Easy to make mistakes (see some recent headlines)
How do we know what is Malicious?
0.04 % = Irregular/Suspicious1.37% = Malicious
All SS7
Traffic
© Copyright 2020. All rights Reserved. 6
Surveillance!
Vast majority of confirmed malicious activity is
Location Tracking related
On average , for surveillance companies:
–SS7 Activity
•61.89% of malicious SS7 activity is used to obtain information
(normally to help Location Tracking)
•30.90% of malicious SS7 activity is directly used to track
location of subscribers (people/things)
•5.13% is SS7 testing, specific attacks, uncategorised other
activity
•2.07 % is SS7 interception of calls/text messages/data etc
–Diameter activity: very small in past, large increase
recently
–SMS: One surveillance company is also very active via SMS
What do Mobile Surveillance Companies do
Surveillance!
Vast majority of confirmed malicious activity is
Location Tracking related
On average , for surveillance companies:
–SS7 Activity
•61.89% of malicious SS7 activity is used to obtain information
(normally to help Location Tracking)
•30.90% of malicious SS7 activity is directly used to track
location of subscribers (people/things)
•5.13% is SS7 testing, specific attacks, uncategorised other
activity
•2.07 % is SS7 interception of calls/text messages/data etc
–Diameter activity: very small in past, large increase
recently
–SMS: One surveillance company is also very active via SMS
What do Mobile Surveillance Companies do
© Copyright 2020. All rights Reserved. 7
How Location Tracking is done via SS7 : Example
HLR
Surveillance
Company
1) ATI (MSISDN)
Simplified views, for more public information see:
#31C3 KarstenNohl, Tobias Engel
MSC Target
2) ATI-Resp (Cell-ID)
3) PSI (IMSI, MSC)
4) PSI (Cell-ID)
1) SRI-SM (MSISDN)
2) SRI-SM-Resp (IMSI, MSC)
Victim’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
How Location Tracking is done via SS7 : Example
HLR
Surveillance
Company
1) ATI (MSISDN)
Simplified views, for more public information see:
#31C3 KarstenNohl, Tobias Engel
MSC Target
2) ATI-Resp (Cell-ID)
3) PSI (IMSI, MSC)
4) PSI (Cell-ID)
1) SRI-SM (MSISDN)
2) SRI-SM-Resp (IMSI, MSC)
Victim’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
© Copyright 2020. All rights Reserved. 8
SS7 Location Tracking Command ‘Toolbox’ –Attacker Pros and Cons
GSM-MAP Command Pre-requisite(s)Pros Cons
ANY-TIME-
INTERROGATION
(ATI)
MSISDN (or IMSI)
No other info
needed
Can often be blocked by operator
legacy equipment
PROVIDE-SUBSCRIBER-
INFO
(PSI)
IMSI, Serving
MSC
Difficult for
Operators to
block
Requires possession of IMSI and
Serving MSC
PROVIDE-SUBSCRIBER-
LOCATION
(PSL)
MSISDN (or IMSI)
Serving MSC
Gets most
precise
location
Can normally be blocked by legacy
equipment. Requires possession of
serving MSC. May not be supported
by target network
SS7 Location Tracking Command ‘Toolbox’ –Attacker Pros and Cons
GSM-MAP Command Pre-requisite(s)Pros Cons
ANY-TIME-
INTERROGATION
(ATI)
MSISDN (or IMSI)
No other info
needed
Can often be blocked by operator
legacy equipment
PROVIDE-SUBSCRIBER-
INFO
(PSI)
IMSI, Serving
MSC
Difficult for
Operators to
block
Requires possession of IMSI and
Serving MSC
PROVIDE-SUBSCRIBER-
LOCATION
(PSL)
MSISDN (or IMSI)
Serving MSC
Gets most
precise
location
Can normally be blocked by legacy
equipment. Requires possession of
serving MSC. May not be supported
by target network
© Copyright 2020. All rights Reserved. 9
Complexity/Info Needed v Possibility to be Blocked : SS7
Possibility of Attacker to be Blocked
PSI
PSL
ATI
Amount of
Pre-requisite
info needed by
Attacker
Better/Easier
for Attacker
Worse/Harder
for Attacker
More
Greater
Complexity/Info Needed v Possibility to be Blocked : SS7
Possibility of Attacker to be Blocked
PSI
PSL
ATI
Amount of
Pre-requisite
info needed by
Attacker
Better/Easier
for Attacker
Worse/Harder
for Attacker
More
Greater
© Copyright 2020. All rights Reserved. 10
1.09:01:29 = Initial SRI-SM from 2 operators (Sure Guernsey, Jersey Airtel) in UK Channels Islands
2.09:02 = SRI , SRI-LCS
3.09:03 -> 09:04 = SRI-SM from UK + Cameron
4.09:04 -> 09:05 = 4 ATIs from Jersey Airtel, Cameroon, Israel, Laos
•All within 5 minute period
Sample Real Life Attempted Attack –SS7
1 2 3 4
Information
Harvesting
Location
Tracking
1.09:01:29 = Initial SRI-SM from 2 operators (Sure Guernsey, Jersey Airtel) in UK Channels Islands
2.09:02 = SRI , SRI-LCS
3.09:03 -> 09:04 = SRI-SM from UK + Cameron
4.09:04 -> 09:05 = 4 ATIs from Jersey Airtel, Cameroon, Israel, Laos
•All within 5 minute period
Sample Real Life Attempted Attack –SS7
1 2 3 4
Information
Harvesting
Location
Tracking
© Copyright 2020. All rights Reserved. 11
Target?
•Later learnt that targeted
mobile number was at (one
stage) apparently associated
with this person : Hervé
Jaubert
–French Former navy officer,
marine engineer, spy
•Working theory is this burst
was designed to try to
determine if number existed,
and obtain location of
number
https://www.thebureauinvestigates
.com/stories/2020-12-16/spy-
companies-using-channel-islands-
to-track-phones-around-the-world
Target?
•Later learnt that targeted
mobile number was at (one
stage) apparently associated
with this person : Hervé
Jaubert
–French Former navy officer,
marine engineer, spy
•Working theory is this burst
was designed to try to
determine if number existed,
and obtain location of
number
https://www.thebureauinvestigates
.com/stories/2020-12-16/spy-
companies-using-channel-islands-
to-track-phones-around-the-world
© Copyright 2020. All rights Reserved. 12
How Location Tracking is done via Diameter: Example
HSS
Surveillance
Company
1) UDR (MSISDN)
MME Target
2) UDA (Cell-ID)
3) IDR (IMSI, MME)
4) IDA (Cell-ID)
1) SRI-SM(MSISDN) : SS7
2) SRI-SM-Resp(IMSI, MME) : SS7
Target’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
How Location Tracking is done via Diameter: Example
HSS
Surveillance
Company
1) UDR (MSISDN)
MME Target
2) UDA (Cell-ID)
3) IDR (IMSI, MME)
4) IDA (Cell-ID)
1) SRI-SM(MSISDN) : SS7
2) SRI-SM-Resp(IMSI, MME) : SS7
Target’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
© Copyright 2020. All rights Reserved. 13
Diameter Location Tracking Commands ‘Toolbox’ –Attacker Pros and Cons
Diameter Command Pre-requisite(s)Pros Cons
INSERT-SUBSCRIBER-
DATA-REQUEST
(IDR)
IMSI, Serving
MME
Difficult for
Operators to
block
Requires possession of serving MME
and normally IMSI
USER-DATA-REQUEST
(UDR)
MSISDN or IMSI
Can track
using MSISDN
Can be blocked by legacy
equipment.
PROVIDE-LOCATION-
REQUEST
(PLR)
MSISDN or IMSI
or IMEI, Serving
MME
Gets most
precise
location, can
track using
MSISDN or
IMEI
Can be blocked by legacy
equipment. Requires possession of
serving MME. May not be
supported by target network
Diameter Location Tracking Commands ‘Toolbox’ –Attacker Pros and Cons
Diameter Command Pre-requisite(s)Pros Cons
INSERT-SUBSCRIBER-
DATA-REQUEST
(IDR)
IMSI, Serving
MME
Difficult for
Operators to
block
Requires possession of serving MME
and normally IMSI
USER-DATA-REQUEST
(UDR)
MSISDN or IMSI
Can track
using MSISDN
Can be blocked by legacy
equipment.
PROVIDE-LOCATION-
REQUEST
(PLR)
MSISDN or IMSI
or IMEI, Serving
MME
Gets most
precise
location, can
track using
MSISDN or
IMEI
Can be blocked by legacy
equipment. Requires possession of
serving MME. May not be
supported by target network
© Copyright 2020. All rights Reserved. 14
Complexity v Possibility to be Blocked : SS7 and Diameter,
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
SS7
More
Greater
Complexity v Possibility to be Blocked : SS7 and Diameter,
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
SS7
More
Greater
© Copyright 2020. All rights Reserved. 15
Sample Real Life Attempted Attack -Diameter
IDR
MNC3.MCC234 = Jersey Airtel
MCC Geographic Region 5 ->
IDR from Jersey Airtel (Channel Islands), Nov 2020
Targeted Subscriber in their home network in Asia-Pacific
IDR Flags set to retrieve location (along with other details)
Sample Real Life Attempted Attack -Diameter
IDR
MNC3.MCC234 = Jersey Airtel
MCC Geographic Region 5 ->
IDR from Jersey Airtel (Channel Islands), Nov 2020
Targeted Subscriber in their home network in Asia-Pacific
IDR Flags set to retrieve location (along with other details)
© Copyright 2020. All rights Reserved. 16
Surveillance Companies see mobile technology as a tool, not as a path
Surveillance
Company
Target
Time
5G Attack
4G (Diameter) Attack
3G (SS7) Attack
Variant
Simjacker
Attacks
Protective ‘Wall’
Future?
Surveillance Companies see mobile technology as a tool, not as a path
Surveillance
Company
Target
Time
5G Attack
4G (Diameter) Attack
3G (SS7) Attack
Variant
Simjacker
Attacks
Protective ‘Wall’
Future?
© Copyright 2020. All rights Reserved. 17
•Uses vulnerability in SIM Card library –called S@T Browser
–S@T Browser, did not validate or authorize source SMS
–Vulnerability exploited by text messages
–S@T Browser allowed access to a subset of STK (SIM Toolkit)
Commands on device
•Library present on several hundred million SIM Cards
•Actively exploited in at least 3 countries in LATAM
•CVD shared within industry June 2019, publicly reported in Sep 2019,
tech details released Oct 2019. CVD-2019-0026
–Full details in 40+ page technical paper on www.simjacker.com
•Simjackeris the first recorded spyware sent within a SMS
–+ huge increase in complexity and capability
Simjacker
•Uses vulnerability in SIM Card library –called S@T Browser
–S@T Browser, did not validate or authorize source SMS
–Vulnerability exploited by text messages
–S@T Browser allowed access to a subset of STK (SIM Toolkit)
Commands on device
•Library present on several hundred million SIM Cards
•Actively exploited in at least 3 countries in LATAM
•CVD shared within industry June 2019, publicly reported in Sep 2019,
tech details released Oct 2019. CVD-2019-0026
–Full details in 40+ page technical paper on www.simjacker.com
•Simjackeris the first recorded spyware sent within a SMS
–+ huge increase in complexity and capability
Simjacker
© Copyright 2020. All rights Reserved. 18
How Location Tracking is done via SimjackerSMS
SMSC
Surveillance
Company
1) MO-FSM (Target MSISDN, S@T CMDS)
Simplified view, for more public information see:
www.simjacker.com
MSC Target
3) MO-FSM (Exfil MSISDN, Cell -ID)
Target’s Network
Location Tracking
Method 1: Send
from Handset,
Extract to Handset
1)MT-FSM (Target MSISDN, S@T CMDS)
3) MT-FSM (Exfil MSISDN, Cell -ID)
2) ENVELOPE (S@T CMDS)
2) STK PROVIDE LOCAL INFO
2) Cell-ID
2) STK SEND SMS (Cell -ID)
SMS
SMS
How Location Tracking is done via SimjackerSMS
SMSC
Surveillance
Company
1) MO-FSM (Target MSISDN, S@T CMDS)
Simplified view, for more public information see:
www.simjacker.com
MSC Target
3) MO-FSM (Exfil MSISDN, Cell -ID)
Target’s Network
Location Tracking
Method 1: Send
from Handset,
Extract to Handset
1)MT-FSM (Target MSISDN, S@T CMDS)
3) MT-FSM (Exfil MSISDN, Cell -ID)
2) ENVELOPE (S@T CMDS)
2) STK PROVIDE LOCAL INFO
2) Cell-ID
2) STK SEND SMS (Cell -ID)
SMS
SMS
© Copyright 2020. All rights Reserved. 19
SimjackerLocation Tracking Commands ‘Toolbox’ –Attacker Pros and
Cons
Command Pre-
requisite(s)
Pros Cons
FORWARD-SHORT-
MESSAGE(MO-FSM/MT-
FSM)with S@T
Browser payload
MSISDN
No SS7 access
required, can
track using
MSISDN
Requires Operator to have
deployed S@T Browser with
MSL=0 on their SIM Cards
SimjackerLocation Tracking Commands ‘Toolbox’ –Attacker Pros and
Cons
Command Pre-
requisite(s)
Pros Cons
FORWARD-SHORT-
MESSAGE(MO-FSM/MT-
FSM)with S@T
Browser payload
MSISDN
No SS7 access
required, can
track using
MSISDN
Requires Operator to have
deployed S@T Browser with
MSL=0 on their SIM Cards
© Copyright 2020. All rights Reserved. 20
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
More
Greater
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
More
Greater
© Copyright 2020. All rights Reserved. 21
•Vast Majority (~95%) of
Simjackerattacks are sent
from a Handset , to extract
info via SMS to another
Handset.
•But about 0.05% of
Simjackerattacks extract
info directly via a SS7
address (Global Title)
–This way, the extracted
information is not seen in the
home operator
–Same GT as SS7 attack earlier
Sample Real Life Attempted Attack -Simjacker
Location will be sent by
SMS to address registered
in Sure Guernsey
Sent from Mexican
Mobile (+52)
Contains S@T
Browser Payload,
Requesting Location
SMS sent to
Mexican Mobile
(+52)
•Vast Majority (~95%) of
Simjackerattacks are sent
from a Handset , to extract
info via SMS to another
Handset.
•But about 0.05% of
Simjackerattacks extract
info directly via a SS7
address (Global Title)
–This way, the extracted
information is not seen in the
home operator
–Same GT as SS7 attack earlier
Sample Real Life Attempted Attack -Simjacker
Location will be sent by
SMS to address registered
in Sure Guernsey
Sent from Mexican
Mobile (+52)
Contains S@T
Browser Payload,
Requesting Location
SMS sent to
Mexican Mobile
(+52)
© Copyright 2020. All rights Reserved. 22
Distribution of Location Tracking Commands
Data from H2 2019 + H1 2020 –Specific Operators
•Attacks via SS7 : 63.40%
•Attacks via Simjacker: 36.60%
–According to our intelligence only one surveillance
company uses Simjacker
–But overall stats are skewed by specific operators being
very heavily targeted by Simjacker
•Better now than in past. Prior to public announcement of
Simjackerratio in affected operators was manytimes higher
•Attacks via Diameter : less than 0.01%
–However, in last 6 months has been a large escalation of
Diameter attacks used by surveillance companies (not
shown)
Working Theory : different end-users
Distribution of Location Tracking Commands
Data from H2 2019 + H1 2020 –Specific Operators
•Attacks via SS7 : 63.40%
•Attacks via Simjacker: 36.60%
–According to our intelligence only one surveillance
company uses Simjacker
–But overall stats are skewed by specific operators being
very heavily targeted by Simjacker
•Better now than in past. Prior to public announcement of
Simjackerratio in affected operators was manytimes higher
•Attacks via Diameter : less than 0.01%
–However, in last 6 months has been a large escalation of
Diameter attacks used by surveillance companies (not
shown)
Working Theory : different end-users
© Copyright 2020. All rights Reserved. 23
Trends per Country –tracking rates per 100,000
Observed SimjackerLocation Tracking Activity
Projected Simjacker
Location Tracking
Activity (if no discovery)
SS7 Location Tracking Activity
Conclusion: SS7 is not normallyused
for bulk subscriber tracking (by
surveillance companies)
But Simjackeris (was)
Trends per Country –tracking rates per 100,000
Observed SimjackerLocation Tracking Activity
Projected Simjacker
Location Tracking
Activity (if no discovery)
SS7 Location Tracking Activity
Conclusion: SS7 is not normallyused
for bulk subscriber tracking (by
surveillance companies)
But Simjackeris (was)
© Copyright 2020. All rights Reserved. 24
Trends of SS7 Location Tracking Commands Over Time
PROVIDE-SUBSCRIBER-INFO (PSI)
PROVIDE-SUBSCRIBER-LOCATION (PSL)
ANY-TIME-INTERROGATION (ATI)
ANY-TIME-
INTERROGATION
(ATI)-Global
Opcode
PROVIDE-
SUBSCRIBER-INFO
(PSI)-Global
Opcode
For more public information on
Global Opcode see:
Hidden Agendas: bypassing GSMA
recommendations on SS7 networks.
HITB AMS SecConfMay 2019,
Positive Technologies
Trends of SS7 Location Tracking Commands Over Time
PROVIDE-SUBSCRIBER-INFO (PSI)
PROVIDE-SUBSCRIBER-LOCATION (PSL)
ANY-TIME-INTERROGATION (ATI)
ANY-TIME-
INTERROGATION
(ATI)-Global
Opcode
PROVIDE-
SUBSCRIBER-INFO
(PSI)-Global
Opcode
For more public information on
Global Opcode see:
Hidden Agendas: bypassing GSMA
recommendations on SS7 networks.
HITB AMS SecConfMay 2019,
Positive Technologies
© Copyright 2020. All rights Reserved. 25
Multiple methods, most common:
1.Pay for Link :
–Commercial agreements via front companies , who then negotiate access to other companies reselling access to
mobile operators. Can be many layers. Works best in areas with poor regulations/oversight
How do these Surveillance Companies gain access?
2.Use Big Brother:
–Governments buy surveillance solution, mandate system to
be installed in ‘captive’ Operator, or add directly onto link
(bypassing Operator)
3.Find old link :
–Old/legacy connections -rare. Defunct companies whose
access is not completely removed. Less of an issue in
Diameter than SS7
4.Others
Pricing not opaque, access is normally between €0.02 -> €0.10
per MSU
•The more SS7/Diameter access a surveillance company has,
the more valuable it is
•Leads to some strange business cases when re-selling…
Pricing of SS7 tracking
on Darkweb
Cost per tracking
request goes up the
more you track!
Multiple methods, most common:
1.Pay for Link :
–Commercial agreements via front companies , who then negotiate access to other companies reselling access to
mobile operators. Can be many layers. Works best in areas with poor regulations/oversight
How do these Surveillance Companies gain access?
2.Use Big Brother:
–Governments buy surveillance solution, mandate system to
be installed in ‘captive’ Operator, or add directly onto link
(bypassing Operator)
3.Find old link :
–Old/legacy connections -rare. Defunct companies whose
access is not completely removed. Less of an issue in
Diameter than SS7
4.Others
Pricing not opaque, access is normally between €0.02 -> €0.10
per MSU
•The more SS7/Diameter access a surveillance company has,
the more valuable it is
•Leads to some strange business cases when re-selling…
Pricing of SS7 tracking
on Darkweb
Cost per tracking
request goes up the
more you track!
© Copyright 2020. All rights Reserved. 26
•5G Networks will be targeted for use by Mobile Surveillance companies
–Newer does not always equal better
5G and Mobile Surveillance Companies
4G
5G
•5G Networks
–solve many security issues, (espradio ones),
–make improvements on some core network security
issues
–But: introduces new risks (internet technologies,
slicing, additional complexity, mixed networks)
•GSMA and other organisations helping to define security from the start, for 5G core
networks
•Note: difference between IT and Mobile Network security –Attacks normally come from known, ‘legitimate’
entities
More public information on 5G interconnect security, and GSMA 5G work:
How to Build a Secure 5G Network, and Protect Alice and Bob from each other. GSMA Fraud and Security Working Group.
https://www.gsma.com/aboutus/workinggroups/how-to-build-a-secure-5g-network-and-protect-alice-and-bob-from-each-other
•5G Networks will be targeted for use by Mobile Surveillance companies
–Newer does not always equal better
5G and Mobile Surveillance Companies
4G
5G
•5G Networks
–solve many security issues, (espradio ones),
–make improvements on some core network security
issues
–But: introduces new risks (internet technologies,
slicing, additional complexity, mixed networks)
•GSMA and other organisations helping to define security from the start, for 5G core
networks
•Note: difference between IT and Mobile Network security –Attacks normally come from known, ‘legitimate’
entities
More public information on 5G interconnect security, and GSMA 5G work:
How to Build a Secure 5G Network, and Protect Alice and Bob from each other. GSMA Fraud and Security Working Group.
https://www.gsma.com/aboutus/workinggroups/how-to-build-a-secure-5g-network-and-protect-alice-and-bob-from-each-other
© Copyright 2020. All rights Reserved. 27
5G Location Tracking Commands ‘Toolbox’ –Attacker Pros and Cons
5G HTTPS/2 Command Pre-requisite(s)Pros Cons
Nlmf_Location/DetermineL
ocation
(Nlmf_DL)
PEI or SUPI or
GPSI, AMF
Instance ID
Can track by using
GPSI (MSISDN).
Precise
Can be blocked if not part of roaming
agreement. AMF instance ID optional
but probably required
Namf_Location/ProvidePos
itioningInfo
(Namf_PPI)
SUPI or GPSI Can track by using
MSISDN
Can be blocked if not part of roaming
agreement
Namf_Location/ProvideLoc
ationInfo
(Namf_PLI)
SUPI Needs to be
permitted on
intercarrier network
Needs SUPI to be successful
Ngmlc_Location/ProvideLo
cation
(Ngmlc_PL)
SUPI or GPSI Can track by using
GPSI (MSISDN).
Precise.
Can be intercarrier
Inter-GMLC interface not very common
+ multiple new ways to get location in 5G as well: Events, Subscriptions, others
5G Location Tracking Commands ‘Toolbox’ –Attacker Pros and Cons
5G HTTPS/2 Command Pre-requisite(s)Pros Cons
Nlmf_Location/DetermineL
ocation
(Nlmf_DL)
PEI or SUPI or
GPSI, AMF
Instance ID
Can track by using
GPSI (MSISDN).
Precise
Can be blocked if not part of roaming
agreement. AMF instance ID optional
but probably required
Namf_Location/ProvidePos
itioningInfo
(Namf_PPI)
SUPI or GPSI Can track by using
MSISDN
Can be blocked if not part of roaming
agreement
Namf_Location/ProvideLoc
ationInfo
(Namf_PLI)
SUPI Needs to be
permitted on
intercarrier network
Needs SUPI to be successful
Ngmlc_Location/ProvideLo
cation
(Ngmlc_PL)
SUPI or GPSI Can track by using
GPSI (MSISDN).
Precise.
Can be intercarrier
Inter-GMLC interface not very common
+ multiple new ways to get location in 5G as well: Events, Subscriptions, others
© Copyright 2020. All rights Reserved. 28
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker& 5G
Possibility to be Blocked
Amount of
Pre-requisite
info needed
IDR
UDRDiameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
5G (HTTPS/2)
Namf_PLI
Nlmf_DL
PLR
Nlmf_PPI
Ngmlc_PL
More
Greater
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker& 5G
Possibility to be Blocked
Amount of
Pre-requisite
info needed
IDR
UDRDiameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
5G (HTTPS/2)
Namf_PLI
Nlmf_DL
PLR
Nlmf_PPI
Ngmlc_PL
More
Greater
© Copyright 2020. All rights Reserved. 29
•Surveillance companies exploit mobile Signalling networks today. They
adjust techniques based on defences and end-users (e.gSimjacker)
•5G networks are not invulnerable, they will also be used by surveillance
companies.
•Mobile Operators can -and many do -detect and block attacks. The key to
make this successful is Intelligence.
•Why watch the watchers? What you cannot see, you cannot stop
Conclusion
•Surveillance companies exploit mobile Signalling networks today. They
adjust techniques based on defences and end-users (e.gSimjacker)
•5G networks are not invulnerable, they will also be used by surveillance
companies.
•Mobile Operators can -and many do -detect and block attacks. The key to
make this successful is Intelligence.
•Why watch the watchers? What you cannot see, you cannot stop
Conclusion
© Copyright 2020. All rights Reserved.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 19
- Slides 30
- Age 571 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views