Subscriber traffic interception
The risk of subscriber traffic interception is still high� The vast majority of attempts
to intercept subscriber SMSs was successful� Today, extremely
important data are
transmitted via SMS messages: passwords for two-factor authentication sent by
e-banking and internet payment systems� Leakage of such information affects the
operator's
reputation, and might result in contract termination by customers, in-
cluding companies with a large volume of traffic�
Attempts to tap or redirect terminating and originating calls were successful in
more than half of all cases�
Redirection means transferring a call to a third-party number� Further
development
of this attack establishes a connection so that an attacker could tap a subscriber's
conversation�
The message UpdateLocation is used to inform the HLR about a change a mo-
bile switch� Terminating SMSs or calls are intercepted by sending a fake request to
register a subscriber in an intruder's network� When a terminating call is received,
the operator's network sends a request to a fake network
to obtain the subscrib-
er's roaming number� An attacker can send the number of his or her
telephone
exchange in response, and the incoming traffic will be transmitted to the attack-
er's equipment� After sending another request to register the subscriber in the real
network, the attacker can redirect the call to the subscriber's number� As
a result,
the conversation will pass through the equipment controlled by the attacker� The
same principle is used for interception of terminating calls via RegisterSS, but in this
case terminating calls are unconditionally redirected to the intruder's telephone
exchange�
Nine out of ten SMS
messages can be
intercepted
Figure 11� Methods for intercepting and forwarding subscriber traffic (percentage of successful attacks)
2015
2017
2016
0%
Call
interception and forwarding
SMS interception
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
65%
61%
53%
89%
88%
90%
SS7 VULNERABILITIES
AND ATTACK EXPOSURE REPORT
12