Date: December 2009
On 28th of December 2009, Philippe Langlois delivered “SCCP hacking, attacking the SS7 & SIGTRAN applications one step further and mapping the phone system” presentation for Chaos Communication Congress, in Berlin, Germany. This conference, 26C3 was one of the major conference about breakthrough in offensive and defensive computing.
Back to the good old Blue Box?
SS7 is like TCP/IP in the 1990s. It used to be quite a secure network because nobody outside the organizations (here, the mobile operators and telecom companies) were connected to it. Now it’s getting interconnected to new actors which are not that trustworthy. Somehow, hackerdom made SS7 come into existence thanks to the massive use of Blue Boxes. Now, hackerdom is getting its toy back! SS7 is nowaday more and more accessible, and as such increasingly vulnerable. So we’re getting exposed to a totally new set of protocols, as secure as TCP/IP in the 1980s. This looks like the Blue Box is coming back to life, in a very different form.
Attacking the SS7 network is fun, but there’s a world beyond pure SS7: the phone system applications themselves, and most notably what transforms phone numbers into telecom addresses (also known as Point Codes, DPCs and OPCs; Subsystem Numbers, SSNs and other various fun.), and that’s called Global Title Translation. Few people actually realize that the numbers they are punching on their phone are actually the same digits that are used for this critical translation function, and translate these into the mythical DPCs, SSNs and IMSIs. More and more data is now going through the phone network, creating more entry point for regular attacks to happen: injections, overflow, DoS by overloading capacities. And we have an ally: the mobile part is opening up, thanks to involuntary support from Motorola, Apple and Android. We’ll study all the entry points and the recent progresses in the Telecom security attacks.