Major security flaw in SS7 – how SMS Home Routing can plug the gap

With the current buzz regarding SS7 network vulnerabilities and the exploitation of standard SMS methodologies to obtain confidential subscriber data I thought it would be interesting to discuss the 3GPP document "TR 23.840, V7.1.0 (2007-03)".  This certificate written in 2006 and published in 2007 describes a solution to SMS fraud ordinarily referred to as SMS Habitation Routing.  Possibly it seems foreign that now, in 2016, we are talking nearly the vulnerabilities of SS7… Well, 90% of subscribers are nevertheless on SS7. And information technology'll be many, many years until those percentages are reversed.

TR 23.840 states "It has been identified that the current architecture of the MT SM transfer process, although more fit for purpose at the time of its formulation, has a number of limitations and drawbacks in the current day. These include bug that were known but thought to non exist of any significance (such every bit the receiving MS roaming in a PLMN inaccessible to the originating MS's HPLMN), bug that have merely become apparent recently (such equally the fraud bug of SMS faking and the distribution of Spam) "

Background info – the regular, pre-solution call flow

Earlier we delve into the solution we should have a basic agreement of the normal/pre solution call flow. When a subscriber enters an SMS Bulletin it is transported over the air interface to the base of operations station. The base station then sends the message to the serving MSC. The serving MSC embeds the message in a MAP Mobile Originating Short Message Transfer bulletin (MO-Forward-SM) and sends it to the Short Bulletin Service Centre (SMSC). A subsequent acknowledgement is sent from the SMSC to the MSC indicating the SMSCs receipt.

Since the SMSC does not know the location of the terminating subscriber, the SMSC requests this information from the HLR containing the information pertinent to the terminating subscriber. This is achieved using the MAP-Ship-Routing-Info-For-SM query bulletin (SRI-For-SM). The terminating subscribers' Mobile Station International Directory Number (MSISDN) is included in the SRI-For-SM to exist used in the HLR query.

After the lookup – the HLR returns a SRI-For-SM response to the requesting SMSC. At the MAP level this message includes the:

  • Indicate Code (address) of the current MSC/VLR serving the recipient subscriber.
  • International Mobile Subscriber Identity (IMSI) of the recipient Subscriber

SMS Home Routing 01
Figure 1 – SMS Mobile Terminating call flow

Figure two shows a subscriber "B" who is in their domicile network sending an SMS to Subscriber "A" who is in their home network "A".

SMS Home Routing 02
Effigy 2 – Normal Home Scenario

Figure iii shows a subscriber "B" who is in their domicile network sending an SMS to Subscriber "A" who is currently roaming in network "C".

SMS Home Routing 03
Figure 3 – Normal Roaming Scenario

3GPP'south Proposal for Security (and for value-add services)

OK, enough talk most call flows and network diagrams of the original SMS procedures.

3GPP TR 23.840 introduces a proposed solution that enables the home network of the recipient subscriber to be in control of delivering the SMS message so that both Value-added services and security tin can exist provided to subscribers. This holds true if the subscriber is in the home network or they are roaming to a foreign network. This proposed solution introduces a new node blazon referred to as an "SMS Router". Effigy 4 shows the Mobile terminating telephone call catamenia.

In this instance the HLR does not reply to the SRI-For-SM sent by the SMSC, rather it sends an SRI-For-SM to the SMS Router. The SMS Router responds immediately to the HLR with a SRI-For-SM. This message is formulated with information received from the HLR. The HLR responds with an SRI-For-SM acknowledgement message with the requested information. Once this sequence is complete the SMS Router formulates a SRI-For-SM Acknowledgement and sends information technology to the SMSC. One might validly ask – We accept inserted an extra node (SMS Router) in the process only isn't everything else basically the aforementioned? Nosotros notwithstanding respond to the SRI-For-SM sent by the SMSC with a SRI-For-SM Ack. – It just comes from the SMS Router rather that the HLR.  The brusque respond is "Yes" however, the information contained in the SRI-For-SM sent by the SMS router is quite different.

In that location are ii major differences in the contents of the SRI-For-SM Ack.:

  1. Rather than sending the IMSI of the recipient subscriber the SMS Router inserts a Correlation ID. Thus keeping the IMSI confidential then it cannot exist used in fraudulent scenarios.
  2. The SMS Router sends its accost every bit serving the recipient subscriber rather than the subscriber's location. This information forces the requesting SMSC to send the SMS Message to the SMS Router for delivery keeping the SMS Router in the SMS commitment path. This capability enables the SMS Router to perform value added and security functions including the prevention of Spamming, Spoofing and Faking.

SMS Home Routing 04
Figure four – SMS Mobile Terminating call menses with SMS Router

Now that nosotros take discussed the call flows of Mobil terminating SMS letters permit's come across what the networks and telephone call flows shown in Figures 2 and three would look like with the inclusion of an SMS Router.

Every bit you tin come across in Figure 5 the SMS Router responds to the SMSC with the requested routing information.  Additionally, the SMS Router is in the delivery path of the messages enabling it to deliver value added and security services to the recipient subscriber.

SMS Home Routing 05
Figure 5 – Abode Scenario with SMS Home Router in place

Every bit yous tin run into in Figure 6 the SMS Router responds to the SMSC with the requested routing information.  Additionally, the SMS Router is in the delivery path of the messages, even if the recipient subscriber is roaming, enabling it to deliver value added and security services to the recipient subscriber.

SMS Home Routing 06


Effigy 6 – Roaming Scenario with SMS Home Router in Place

Conclusion

Without the implementation of SMS habitation routing, mobile subscribers are not covered by security and message management mechanisms of their home network. The subscriber may find that their Quality of Feel (QoE) is severely impacted especially as it is related to SMS Spam and Fraud.  This reduction in QoE can atomic number 82 to dissatisfied customers who are more probable to investigate moving to another network provider. The implementation of Home Routing using the SMS Router methodology divers past 3GPP TR 23.840 provides an efficient means of providing security services, value added services and plugging one of the largest vulnerabilities in the SS7 network.

For more than information on SMS Security and Home Routing check our Security Solutions.

Categorised in: Blog