Sonar: Detecting SS7 Redirection Attacks with Audio-Based Distance Bounding

The global telephone network is relied upon by billions every day. Central to its operation is the Signaling System 7 (SS7) protocol, which is used for setting up calls, managing mobility, and facilitating many other network services. This protocol was originally built on the assumption that only a small number of trusted parties would be able to directly communicate with its core infrastructure. As a result, SS7 — as a feature — allows all parties with core access to redirect and intercept calls for any subscriber anywhere in the world. Unfortunately, increased interconnectivity with the SS7 network has led to a growing number of illicit call redirection attacks. We address such attacks with Sonar, a system that detects the presence of SS7 redirection attacks by securely measuring call audio round-trip times between telephony devices. This approach works because redirection attacks force calls to travel longer physical distances than usual, thereby creating longer end-to-end delay. We design and implement a distance bounding-inspired protocol that allows us to securely characterize the round-trip time between the two endpoints. We then use custom hardware deployed in 10 locations across the United States and a redirection testbed to characterize how distance affects round trip time in phone networks. We develop a model using this testbed and show Sonar is able to detect 70.9% of redirected calls between call endpoints of varying attacker proximity (300–7100 miles) with low false positive rates (0.3%). Finally, we ethically perform actual SS7 redirection attacks on our own devices with the help of an industry partner to demonstrate that Sonar detects 100% of such redirections in a real network (with no false positives). As such, we demonstrate that telephone users can reliably detect SS7 redirection attacks and protect the integrity of their calls.

[1]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2008, J. Comput. Secur..

[2]  Fabian Monrose,et al.  Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks , 2011, 2011 IEEE Symposium on Security and Privacy.

[3]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[4]  Marcin Poturalski,et al.  Secure Neighbor Discovery and Ranging in Wireless Networks , 2011 .

[5]  Angelos D. Keromytis,et al.  A Comprehensive Survey of Voice over IP Security Research , 2012, IEEE Communications Surveys & Tutorials.

[6]  Aurélien Francillon,et al.  SoK: Fraud in Telephony Networks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Dale Lindskog,et al.  GSM OTA SIM Cloning Attack and Cloning Resistance in EAP-SIM and USIM , 2013, 2013 International Conference on Social Computing.

[8]  Jon Callas,et al.  ZRTP: Media Path Key Agreement for Unicast Secure RTP , 2011, RFC.

[9]  Robert D. Nowak,et al.  Multiple-Source Internet Tomography , 2006, IEEE Journal on Selected Areas in Communications.

[10]  David Lie,et al.  Dude, Where's That Ip? Circumventing Measurement-based Ip Geolocation , 2022 .

[11]  Aurélien Francillon,et al.  Over-The-Top Bypass: Study of a Recent Telephony Fraud , 2016, CCS.

[12]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[13]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[14]  Bart Preneel,et al.  Location verification using secure distance bounding protocols , 2005, IEEE International Conference on Mobile Adhoc and Sensor Systems Conference, 2005..

[15]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, CRYPTO.

[16]  Somayeh Salimi,et al.  New attacks on UMTS network access , 2009, 2009 Wireless Telecommunications Symposium.

[17]  Franziska Roesner,et al.  Investigating the Computer Security Practices and Needs of Journalists , 2015, USENIX Security Symposium.

[18]  Georgios Kambourakis,et al.  DoS attacks exploiting signaling in UMTS and IMS , 2011, Comput. Commun..

[19]  Yizhak Idan,et al.  Discovery of fraud rules for telecommunications—challenges and solutions , 1999, KDD '99.

[20]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[21]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[22]  Songwu Lu,et al.  How voice call technology poses security threats in 4G LTE networks , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[23]  Nicholas Hopper,et al.  Location leaks over the GSM air interface , 2012, NDSS.

[24]  Tyler Moore,et al.  Signaling system 7 (SS7) network security , 2002, The 2002 45th Midwest Symposium on Circuits and Systems, 2002. MWSCAS-2002..

[25]  Diomidis Spinellis,et al.  The Athens Affair , 2007, IEEE Spectrum.

[26]  Robert Nowak,et al.  Internet tomography , 2002, IEEE Signal Process. Mag..

[27]  Nick Nikiforakis,et al.  Dial One for Scam: A Large-Scale Analysis of Technical Support Scams , 2016, NDSS.

[28]  Debin Gao,et al.  MobiPot: Understanding Mobile Telephony Threats with Honeycards , 2016, AsiaCCS.

[29]  Srdjan Capkun,et al.  Distance Hijacking Attacks on Distance Bounding Protocols , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[31]  Patrick Traynor,et al.  Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge , 2015, USENIX Security Symposium.

[32]  Catherine A. Meadows,et al.  Towards More Efficient Distance Bounding Protocols for Use in Sensor Networks , 2006, 2006 Securecomm and Workshops.

[33]  Patrick Traynor,et al.  AuthLoop: End-to-End Cryptographic Authentication for Telephony over Voice Channels , 2016, USENIX Security Symposium.

[34]  Songwu Lu,et al.  New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks , 2016, CCS.

[35]  Christopher Thompson,et al.  Breaking Cell Phone Authentication: Vulnerabilities in AKA, IMS, and Android , 2013, WOOT.

[36]  Micah Sherr,et al.  Accountable wiretapping - or - I know they can hear you now , 2012, J. Comput. Secur..

[37]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[38]  Steven S. Wildman The Telecommunications Act of 1996 (Book) , 2002 .

[39]  Aurélien Francillon,et al.  The role of phone numbers in understanding cyber-crime schemes , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[40]  Adam Doupé,et al.  SoK: Everyone Hates Robocalls: A Survey of Techniques Against Telephone Spam , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[41]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[42]  Edgar R. Weippl,et al.  The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection , 2016, RAID.

[43]  Patrick Traynor,et al.  PinDr0p: using single-ended audio features to determine call provenance , 2010, CCS '10.

[44]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[45]  Wenyuan Xu,et al.  You Can Call but You Can't Hide: Detecting Caller ID Spoofing Attacks , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[46]  Nan Jiang,et al.  Isolating and analyzing fraud activities in a large cellular network via voice call graph analysis , 2012, MobiSys '12.

[47]  Patrick D. McDaniel,et al.  On Attack Causality in Internet-Connected Cellular Networks , 2007, USENIX Security Symposium.

[48]  Roger Piqueras Jover,et al.  LTE security, protocol exploits and location tracking experimentation with low-cost software radio , 2016, ArXiv.

[49]  Serge Vaudenay Privacy failure in the public-key distance-bounding protocols , 2016, IET Inf. Secur..

[50]  Gabriel Maciá-Fernández,et al.  Fraud in roaming scenarios: an overview , 2009, IEEE Wireless Communications.

[51]  Gianluca Dini,et al.  Modeling Enlargement Attacks Against UWB Distance Bounding Protocols , 2016, IEEE Transactions on Information Forensics and Security.

[52]  Antonio Nucci,et al.  You can SPIT, but you can't hide: Spammer identification in telephony networks , 2011, 2011 Proceedings IEEE INFOCOM.

[53]  Christer Åkerblom Tracking mobile phones in urban areas , 2000 .

[54]  Xinbing Wang,et al.  Insecurity of Voice Solution VoLTE in LTE Mobile Networks , 2015, CCS.

[55]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[56]  Yongdae Kim,et al.  Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations , 2015, CCS.

[57]  Srdjan Capkun,et al.  UWB rapid-bit-exchange system for distance bounding , 2015, WISEC.

[58]  Thomas F. La Porta,et al.  Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks , 2006, IEEE/ACM Transactions on Networking.

[59]  Patrick Traynor,et al.  AuthentiCall: Efficient Identity and Content Authentication for Phone Calls , 2017, USENIX Security Symposium.

[60]  Adi Shamir,et al.  A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony , 2010, IACR Cryptol. ePrint Arch..

[61]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[62]  Adam Doupé,et al.  Toward authenticated caller ID transmission: The need for a standardized authentication scheme in Q.731.3 calling line identification presentation , 2016, 2016 ITU Kaleidoscope: ICTs for a Sustainable World (ITU WT).