Mobile Threat Catalogue

Obtaining Device Location via SS7 Exploit

Contribute

Threat Category: Carrier Interoperability

ID: CEL-38

Threat Description: Tracking of device locations by exploiting network weaknesses.

Threat Origin

SCTPscan - Finding Entry Points to SS7 Networks & Telecommunication Backbones 1

GSM Sniffing 2

Toward the HLR: Attacking the SS7 & SIGTRAN Applications 3

Mobile Self Defense 4

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures

Mobile Network Operator

SS7 Firewalls may be deployed throughout the network. See Securing SS7 Telecommunications Networks 5

References

  1. P. Langlois, SCTPscan - Finding Entry Points to SS7 Networks & Telecommunication Backbones, presented at Blackhat EU, 29 Mar. 2007; www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf [accessed 8/23/2016] 

  2. K. Nohl, GSM Sniffing, 27th Chaos Communication Congress, Dec. 2010; https://events.ccc.de/congress/2010/Fahrplan/attachments/1783_101228.27C3.GSM-Sniffing.Nohl_Munaut.pdf [accessed 8/23/2016] 

  3. P. Langlois, Toward the HLR: Attacking the SS7 & SIGTRAN Applications, presented at H2HC, Dec. 2009; www.h2hc.org.br/repositorio/2009/files/Philippe.en.pdf [accessed 8/23/2016] 

  4. K. Nohn, Mobile Self-Defense, presented at 31st Chaos Communication Congress, 27 Dec. 2014; https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf [accessed 8/29/2016] 

  5. G. Lorenz et al., “Securing SS7 Telecommunications Networks”, in Workshop on Information Assurance and Security vol. 2, 2001.