While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR. A hacker accessing the SS7 system can snoop target users, locate them, and transparently forward calls. The access to the SS7 system is possible by using any number of networks. In response to the disclosure of security issues related to the SS7 protocol, telco bodies, and operators, including the GSMA, have introduced monitoring services to.
While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I’m releasing the first version of ss7MAPer, a SS7MAP (pen-)testing toolkit.
The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, MSC and SMSC will follow.
The source code of the tool is published on github, feel free to use and extend.
The tool is written in Erlang; to get it running you will need the Erlang runtime environment. It is developed for version 17.5.
As example, the screen shot below shows the output of the tool against a HLR, testing which MAP messages are accepted and the results given back.
As you can see in the picture, the demonstrated test cases for the HLR respond to most of the MAP messages regardless the fact that we are not registered as valid provider. The tool is not configured as a serving MSC nor a roaming contractor. Some of the information gathered can be seen as critical, as the MSISD -> IMSI resolution, the over-the-air crypto keys or the ability to create supplementary services e.g. call forwarding.
The code (and its dependencies) are not that easy to compile but I tried to give a complete step by step instructions in the README file.
The messages and test cases are gathered from public SS7 research of the last years (see 1, 2) and check for known weaknesses in the SS7 domain.
The tool itself was developed under a cooperation with the Belgium provider Proximus and aims to test the secure configuration of the internal and external SS7 network access. Thanks a lot for giving us the opportunity here, we are convinced that the tool gives the research community but also telecommunication providers a new, important and (especially) open-source-based possibility for SS7 testing.
More about the tool and SS7 testing on Troopers TelcoSecDay, Telco Network Security & Network Protocol Fuzzing Workshop.
That’s it, get the code, try the tool.
Best wishes from Heidelberg.
A recent 60 Minutes television program exposed vulnerabilities in the world’s mobile carrier networks. This particular show talked about a flaw in SS7, a key protocol used by wireless networks, that lets hackers listen in on your phone calls and read your texts.
This information will come as no surprise to some. Like the Internet itself, mobile wireless networks were never designed for enterprise-grade security and protection against determined and sophisticated hackers. For example, IMSI-catchers represent another threat to privacy when using mobile networks.
But there are simple actions you can take to protect the privacy of your sensitive data – phone calls, text messages, e-mails, etc. – that you transmit over mobile networks using mobile devices. The simple rule of thumb: always encrypt your data before it hits the wireless network.
Phone Calls: use encrypted voice-over-IP – examples include BBM Enterprise(formerly known as BBM Protected) and SecuSUITE as well as a wide range of apps in major app stores (as long as you’re comfortable with the security of the app and its developers).
Ss7 Protocol Hack Download Windows 10
Text Messages: encrypted services include BBM Enterprise as well as a wide range of apps in major app stores.
E-mail: be sure to use services that employ end-to-end encryption. Many common consumer e-mail services offer encryption between device and cloud e-mail server but fall down when messages are then forwarded to users not on the same e-mail service.
<img src='https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=500&h=666' alt='A man using a mobile phone with a confused look on his face' width='500' height='666' srcset='https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=500&h=666 500w, https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=1000&h=1332 1000w, https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=113&h=150 113w, https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=225&h=300 225w, https://rimblogs.files.wordpress.com/2016/04/gettyimages-145065623.jpg?w=768&h=1023 768w' sizes='(max-width: 500px) 100vw, 500px' />Business Users: BlackBerry provides end-to-end encryption of the communications channel as well as S/MIME and PGP message encryption, an extra level of protection that ensures only your intended recipients can access the mail, regardless of their choice of e-mail service.
File Sharing: BlackBerry’s Workspaces is one way to ensure file data is protected regardless of which networks are used to transmit the data.
For all the aforementioned technologies – encrypted voice, text, e-mail – BlackBerry’s apps are cross-platform, supporting any operating system (iOS, Android, Windows, BlackBerry) that you (or your friends, family, and co-workers) may prefer.
Another important data privacy tool for mobile networks is the VPN, or virtual private network. If all your information flows over a VPN, it will be protected between the device and the VPN server on the other end. All mobile devices managed by BlackBerry UEM software – including those running BlackBerry, Android, iOS, and Windows Phone operating systems – include a built-in end-to-end protected connection between the device and the enterprise network. Users can use any physical network – including open Wi-Fi networks and the carrier mobile networks – and still rest assured that business information is protected.
There remains one other privacy concern brought up by the 60 Minutes piece: location. Unfortunately, mobile networks were designed to uniquely identify mobile devices (and by association, their users). For example, the IMEI number from the modem chipset and the IMSI number from the SIM card are incorporated into mobile network communications emanating from your mobile device and cannot be inhibited by the mobile OS or any apps. Rules set up by the mobile network policy organization – GSMA – require these identifiers be present.
When your device connects to mobile networks, this identifying information is recorded and could be disclosed via lawful government access requests to mobile network providers or by hackers that gain unauthorized access to the mobile network infrastructure. If you are worried about your location being tracked, the safest thing to do is avoid mobile networks entirely: use Wi-Fi data networks (with trusted access points and the aforementioned data encryption enabled) for all communications and disable mobile networks in your device settings.
Modern VoIP and text message services provide excellent quality, often better than the built-in mobile network calling and messaging services. If you must use the mobile network, as many of us do, then maximize your use of encrypted communications as described above. For example, if all of your phone calls are VoIP-based, then identifying information associated with the caller and receiver on a mobile network will simply not exist to be hacked.
Protecting your privacy on mobile goes beyond just the recently reported cell network risks, of course. When you use cloud apps such as Facebook, Yahoo, and Dropbox, your personal information is being stored in servers managed by these service providers and therefore could be exposed by hackers who can gain access to those servers or by lawful access requests made to those service providers. Services like WatchDox and BBM Enterprise that enable the data owner to control encryption – instead of the service provider – assure your privacy regardless of network or cloud service.
Your location information may also be tracked by these third-party services. And again, those services could be hacked (or subject to lawful access requests) that would expose your location. Most mobile operating systems provide options to disable location services, a draconian approach that limits device functionality but an option when privacy is at a premium. BlackBerry’s PRIV smartphone has a unique feature called DTEK which lets you track, receive notifications about, and disable location-gathering attempts made by your apps.
These simple steps will go a long way towards protecting you against the most common online attacks. At BlackBerry, we’re committed to providing all of the necessary tools to help you encrypt your data and protect your privacy.
Ss7 Tools Free Download
Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 atMEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today atMEDSecMeeting.org.