In our previous blog post we laid out some of the attacks that are very much possible in the world of mobile networking. To succeed on these the attacker must conduct some research in advance about the victim. One of the important details to know is it victims International Mobile Subscriber Identity aka. IMSI. It is globaly unique identifier from witch it is possible to discover on which operators network the subscriber is. Next we’ll go over a few means to aquire that information.
In their research Positive Technologies provide few more or less involved ways to discover individuals IMSI. As practically speaking all 4G subscribers are also subscribed to networks of previous-generation the easiest way is to make use of the many security holes present in SS7 signaling protocol. Even if the victim mostly resides in Diameter network an attack can be carried out by targeting networks Interworking Function node that is responsible for Diameter and SS7 compatibility.
If the victim can somehow avoid SS7 networks altogether but his or her usual whereabouts are known the IMSI can be acquired by setting up a fake mobile base station to which the user connects. Alternatively if victim’s operator allows to make calls over wifi a hotspot owner can easily catch IMSIs on his or her network.
If victim can stay clear of SS7 and avoid previously mentioned location based IMSI catcher the task getting hold of his or her IMSI fortunately becomes bit harder but by no means impossible.
To get hold of someones IMSI on a Diameter only network the attacker needs to know the MSISDN of the victim. MSISDN is basically a fancy name for a phone number. Another bit of information the attacker needs is the address for victims operators edge node. According to Bhanu Teja Kotte it can be discovered by brute force as operators IP-ranges are public knowledge. Some operators also have their IR.21 database available on the internet from which relevant details can be extracted.
With this knowledge the attacker can either pose as a SMS center and send a specially crafted SMS routing request or pose as a application server and send a specially crafted User Data Request to victim’s operator’s network. Either way the result is that the attacker gets hold of the victims IMSI.
With that knowledge the attacker can for example discover victims location, intercept their SMS messages, DoS them or commit fraud by making calls, sending SMS and roaming data on their expense.
Due to the way these signaling protocols are specified these attacks are practically impossible to be prevented by hand crafted rule sets but well trained AI can alert operators about suspicious activities targeting their network or originating from it.
Part 1 of this blog series, Using data analytics to prevent unauthorized tracking of mobile users, discussed the basic threat scenarios.
For further information from CAP