Spoofing SS7/M3UA T...
 
Notifications
Clear all

Spoofing SS7/M3UA Traps

8 Posts
4 Users
0 Likes
291 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Spoofing is a hopeless crime as jumping to a 'new' PLMN number (randomized machine routed) is simple. Filtering of ENUM blocks can help but is hopeless too. We search for a new approach for realtime fast reverse engineering to set up traps.

Where - we also have an idea - would you set up traps in the SS7/M3UA inter-CSP Communications Service Provider call routing?

Lets take an example to technically brainstorm A mobile call is initiated in P.R.C. by China Mobile and routed into Switzerland. Before leaving P.R.C. the call gets spoofed in a DC (WeChat cloud-based) to be initiated as a Swiss PLMN.

Where in the SS7/M3UA the first time is it possible to check-back the 'sender' information and recognize the spoofing? To check-back is the key for spoofing forensics. But its crucial to do it as close as possible to the sender. We actually check if we can take elements out of comparable Email SPF Sender Policy Framework processes. All aspects of user's ability for Call Forwarding are to be taken into consideration.

So, where would you set up the traps? How would you implement the log-forwarding out of the foreign CSP directly to LEO?. The overall goal is a new form of LEO 'looking' realtime into the CSPs international backbone.

Where would you set up the traps in SS7/M3UA?

Any P.R.C. MNO forensics experts on FF? -)

 
Posted : 15/11/2017 2:16 am
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

I'm a pretty small fish on here, but my hope is that if there is a P.R.C. MNO forensic expert on here they will keep their mouth shut, or at least be very vague and not provide any specifics of value.

In the scenario described, who does that? Hackers, or terrorists maybe? So they hack SS7 and someone is supposed to get on FF and educate the community as to where the traps should be set up? Its something that we don't think of every day, but everyone on FF isn't a "Friendly."

FF is a pretty diverse community. Lots of private sector folks, law enforcement and those claiming to be one or the other. Me, I'm law enforcement and my credentials can be checked by anyone pretty easily. Not that that and 50 cents will get me anything more than a cup of coffee, but I am constantly amazed at the posts I frequently see that are better reserved for websites for members of the law enforcement community, military, or their trusted partners.

What's next? Specifics on fugitive tracking? How we determine a new phone number for a target when they have dropped their old phone? Maybe we can discuss how to trace a Swatting call? Better yet maybe we can get someone from the FBI to tell us how, or if they really defeated TOR?

As long as its to educate the community why not? SMH!

 
Posted : 15/11/2017 3:32 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Your opinion is appreciated.

 
Posted : 15/11/2017 8:15 am
(@tinybrain)
Posts: 354
Reputable Member
 

A ppt which partly covers your problem

https://www.itu.int/en/ITU-T/Workshops-and-Seminars/callerid/Documents/presentations/S2P5-Yuan-Jing.ppt

 
Posted : 15/11/2017 8:40 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Thank you TinyBrain. The 3GPP TR 33.832 covers the issue too.

 
Posted : 15/11/2017 8:44 am
(@datredil)
Posts: 15
Active Member
 

The issue is not solvable because a lot of business services by call centers need the technical possibility to signal a HPLMN Caller ID to the receiver. Think about all the offshore services of financial and insurer administrations or may be best example are call centers of CSPs itself.

As long as remote calling services are in use - as long its not possible to solve.

 
Posted : 15/11/2017 9:30 am
(@tinybrain)
Posts: 354
Reputable Member
 

@Datredil - I agree partly. The OIP Originating Identification Presentation in TS 24.607 v14.0.0 Rel. 14 (2017-05) is the element to focus on to protect against CID spoofing.

 
Posted : 15/11/2017 1:59 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

In P.R.C. the implementation of COLP COnnected Line Presentation is enforced and strictly controlled if the change of the caller is allowed for some services (to satisfy user privacy).
But a call must be traceable to find the real caller.

 
Posted : 15/11/2017 3:00 pm
Share: