EvilZone

Hacking and Security => Mobile Hacking => Topic started by: dagronk on November 16, 2015, 11:20:57 PM

Title: Interesting article on SS7 vuln as an entry point
Post by: dagronk on November 16, 2015, 11:20:57 PM

Anybody discussed this vuln yet?

SS7 interception
http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/

How Skylock works
https://assets.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf

Make your own IMSI
https://www.youtube.com/watch?v=e8zMaOIk1q4

Or buy one from Alibaba
http://www.alibaba.com/product-detail/tracking-suspect-location-device-IMSI-catcher_60258199529.html?spm=a2700.7724838.30.274.yrM4HA

Entry points
http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf

Sorry for posting a bunch of sh!t links but this all made for an interesting read.

Its interesting to think that access to SS7 could be gained by compromising an individual or provider in a third world setting.

I like the sound of "Skylock" too.  Sounds like something that wants to obliterate the human race.

Title: Re: Interesting article on SS7 vuln as an entry point
Post by: Nicholai_ on December 06, 2015, 11:28:25 PM

Sorry for posting this late on the thread, but this topic is indeed very interesting.

I have been working with mobile communication the past few years, and I'm honestly surprised by the low amount of individuals that has any interest in it.

Playing with SS7 is not really an easy play, at least not in the beginning, even though it might seem.

I'm hoping to get into this forum well, and then I will hopefully write a guide in regard to this topic.

Title: Re: Interesting article on SS7 vuln as an entry point
Post by: GoodDevil on December 09, 2015, 05:21:51 PM

I would much appreciate a guide ^_^

Title: Re: Interesting article on SS7 vuln as an entry point
Post by: smithesomething on January 08, 2016, 01:32:17 PM

Hey guys, a bit late to the party on this but I've got a few resources / tutorials that might be useful:

• SS7 Track. Locate. Manipulate. - Tobias Engel Presentation @ 31C3 (https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel#video&t=133)
• SS7map - Laurent Ghigonis and Alexandre De Oliveira Presentation @ 31C3 (https://media.ccc.de/v/31c3_-_6531_-_en_-_saal_6_-_201412272300_-_ss7map_mapping_vulnerability_of_the_international_mobile_roaming_infrastructure_-_laurent_ghigonis_-_alexandre_de_oliveira#video)
• GSM Map, discover the different encryption methods etc. in use by operators in your country (https://gsmmap.org/)
• Making an IMSI catcher using a RTL-SDR (https://github.com/Oros42/IMSI-catcher)
• WP on IMSI catchers and how to catch them (https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf)

Major area that I also wanted to highlight is that many operators (if not all) use a method of T-IMSI (temporary IMSI) so that the real IMSI is never sent through the network apart from the initial registration on the network. Ideally as marked in the country reports on GSMMap the T-IMSI should be updated for each transaction from the UE.