Menu
Close

Subscribe to our blog

Receive our latest posts direct to your inbox

Signalling Protection - 1 min read

How Surveillance Companies track you using SS7 on Mobile Networks

Wanda Cardenes

Wanda Cardenes

7 Jan 2021

Surveillance companies are often in the news, but the month of December, especially, brought three impactful headlines, which all related to how surveillance companies are using mobile networks to track you. So, the talk that Cathal Mc Daid, CTO of AdaptiveMobile Security, gave at the RC3 conference on 30 December could not have come at a better time.

Exploitable vulnerabilities in mobile core signalling networks have been known to exist for many years. However, very little information has been presented on whether these vulnerabilities are being exploited in real-life or not, and if so, how it is being done.

“Watching the watchers” presentation covers how there are 3 types of exploiters of mobile signalling networks. Establishing first how do we know what is malicious in terms of traffic. We then give an overview of what mobile surveillance companies do, before going into detail on how location tracking is done via SS7, Diameter and Simjacker attacks, by showing real-life examples.

We finally make a projection for 5G, and how surveillance companies will target 5G core networks as they are deployed globally over the next few years.

Example - Lack of input parameter validation attack

Example - Lack of input parameter validation attack

Example - Lack of input parameter validation attack

Content:

  • 3 Types of exploiters of mobile signalling networks
  • How do we know what is malicious?
  • What do mobile surveillance companies do
  • How location tracking is done via SS7: example
  • SS7 location tracking command ‘toolbox’ – attacker pros and cons
  • Complexity/info needed v possibility to be blocked: SS7
  • Sample real-life attempted attack – SS7
  • How location tracking is done via Diameter: example
  • SS7 location tracking command ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7 and Diameter
  • Sample real-life attempted attack - Diameter
  • Simjacker
  • How location tracking is done via Simjacker SMS
  • Simjacker location tracking commands ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7, Diameter, Simjacker
  • Sample real-life attempted attack – Simjacker
  • Distribution of location tracking commands
  • Trends of SS7 location tracking commands over time
  • How do these surveillance companies gain access?
  • 5G and mobile surveillance companies
  • 5G location tracking commands ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7, Diameter, Simjacker & 5G

SHARE

Share
Share
Tweet

Wanda Cardenes

Digital marketing strategist, bilingual in English and Spanish. With over 15 years experience in the IT, cybersecurity, retail and travel sectors in markets such as the European, US and Latin American, Wanda has extensive expertise in managing consumer-centric marketing campaigns, from communication strategy to campaign implementation, and in generating new sales opportunities through the internet. Wanda holds a PhD in Advertising and Public Relations and is passionate about technology and understanding the security it provides to protect people from cyber-attacks.