Locating Mobile Phones Using Signalling System #7

2m ago
1 Views
0 Downloads
893.26 KB
29 Pages
Last View : 1m ago
Last Download : n/a
Upload by : Aarya Seiber
Transcription

Locating Mobile Phonesusing Signalling System #7Tobias Engel tobias@ccc.de twitter: @2b as

What is Signalling System #7? protocol suite used by most telecommunications operatorsthroughout the world to talk to each otherstandardized in ITU-T Q.700 serieswhen it was designed, there were only few telecoms operators,and they were either state controlled or really big corporationstrusted each other, so no authentication built intoday, everybody can be an operator (e.g. VoIP), so SS7 accessis easier to getLocating mobile phones using SS72

Mobile Application Part (MAP) part of SS7 that specifies additional signalling that is required formobile phones to work (roaming, SMS, etc.)standardized in 3GPP TS 29.002in order for two network operators to talk MAP to each other theyusually need a roaming agreementLocating mobile phones using SS73

Visitor LocationRegister: a databaseclose to your currentlocation that has acopy of yoursubscription datafrom the HLRBase Station Subsystem:the radio stuff (cell towersetc.)Mobile SwitchingCenter: a switch thatroutes calls andmessages from and toyour phoneotherLocatingmobile andphonesusing SS7switchesHome LocationRegister: thedatabase that knowsyour phonenumberand which networkyou are currently4visiting

What does the network know about yourlocation? the location of the cell tower is also a pretty good approximationof your locationbut that information is only known to the network you arecurrently logged intorestricted to technical operation of the network - exceptions: "Locate my phone" services–have to assure the operator that they have the consent of the phone'sowner–doesn't work anymore as soon as you are logged into a network thatis not your home networkLaw enforcement–have to call the operator of the network you are currently logged into(not your home network operator)Locating mobile phones using SS75

Can somebody with SS7/MAP access find outyour location? services that can be initiated to your phone number from almostanywhere in the global SS7 network are voice calls short messagesLet's see if these services give any indication of your location.Locating mobile phones using SS76

Call setupHome network (HPLMN)SS7Gatewayswitch(GMSC)Call setupmessage(IAM)Visited network (VPLMN)Home DB(HLR)MAP SENDROUTINGINFORMATIONMAP SENDROUTINGINFORMATION AckSwitch(MSC)VisitorDB (VLR)Radiointerface(BSS)123456789*0#MAP PROVIDEROAMING NUMBERMAP PROVIDEROAMING NUMBERAckCall setup message (IAM)Call setup (SETUP)Locating mobile phones using SS77

Sending a short messageHome network(HPLMN)Visited network (VPLMN)SwitchSS7Home DB(HLR)MAP SENDROUTINGINFO FOR SM(MSC)VisitorDB (VLR)Radiointerface(BSS)123456789*0#MAP SENDROUTINGINFO FOR SM AckMAP MT FORWARD SHORT MESSAGEMessage transferLocating mobile phones using SS78

Sending a short messageHome network(HPLMN)Visited network (VPLMN)SwitchSS7Home DB(HLR)MAP SENDROUTINGINFO FOR SM(MSC)VisitorDB (VLR)Radiointerface(BSS)123456789*0#MAP SENDROUTINGINFO FOR SM AckMAP MT FORWARD SHORT MESSAGEMessage transferLocating mobile phones using SS79

MAP-SEND-ROUTING-INFO-FOR-SM(3GPP TS 29.002) no correlation between requesting routing info for a messageand actually sending a messageSMS are sent directly from the SMSC of the sender to the MSCthat you are currently usingsuccessful request returns: your IMSI ("real" phone number) global title of MSC you are using user error (e.g. "Absent subscriber" your phone is off)Locating mobile phones using SS710

Mobile Switching Center (MSC) handles calls and SMScan only handle a certain amount of calls, so in big cities theremight be more than one MSC for each network, while in thecountryside one MSC might serve a really large areaglobal title of the MSC tells us which country you are currently in,because it starts with the country codemaybe also the network, if mobile networks in that country canbe identified by their area codeother than that: numbering is operator internal. but that doesn't mean that we cannot get further informationfrom the number by looking at it long enoughLocating mobile phones using SS711

MSC global title (examples)T-Mobile GermanyVodafone GermanyBerlin 491710360000 491720012097Hamburg 491710400000 491720022097Frankfurt 491710650000 491720061097Stuttgart 491710700000 491720076097München 491710870000 491720082097Locating mobile phones using SS712

MSC global title (examples)T-Mobile GermanyVodafone GermanyFirst digit of area codeFirst digit of ZIP codeBerlin 491710360000 491720012097Hamburg 491710400000 491720022097Frankfurt 491710650000 491720061097Stuttgart 491710700000 491720076097München 491710870000 491720082097Locating mobile phones using SS713

Automated approach to narrow down the areaan MSC is serving (1/2) Rop had a great idea: if we have a lot of mobile phone numbersand already know their location, we could query the network forthe current MSC of these numbers, thus creating a MSC geolocation mappingthanks to erdgeist, we have a decoded copy of the "DasTelefonbuch" CDsent tens of thousands ofMAP SEND ROUTING INFO FOR SM requests for numbersfrom the phonebook requests where done at night, when most people are at home removed the obvious errorsLocating mobile phones using SS714

491710360000Locating mobile phones using SS715

491710310000Locating mobile phones using SS716

491720022097Locating mobile phones using SS717

491760000031Locating mobile phones using SS718

491760000375Locating mobile phones using SS719

Automated approach to narrow down the areaan MSC is serving (2/2) big thanks to itsme, who created such a mapping for theNetherlandsother countries also possible if there are phone books availableLocating mobile phones using SS720

"No one I know is a network operator - so I canbe pretty sure that no one who would carefinds out my location, right?" wrong: there are several companies offering a lookup servicewhere you send them an MSISDN, they perform a MAP-SENDROUTING-INFO-FOR-SM request and send the IMSI and MSCthey receive from the HLR back to youcost per request is in the low single euro cent areaLocating mobile phones using SS721

What is the business case for selling thisservice? Evil Spammer wants to send spam SMS without payinghe has SS7 access, and can also send MAP requests, but of coursehe has no roaming agreements with any other operators, so they don'tanswer his requestsbut: sending a message viaMAP MT FORWARD SHORT MESSAGE does not even require ananswer!Evil Spammer just needs to know, to which MSC the message shouldbe sent, so he uses one of these services.then he sets the sender address of the SMS request to that of anothernetworks short message centerthe receiving network bills the SMS to that other network free spamSMS!Locating mobile phones using SS722

I don't want to be located - what can I do? (1/2) SMS "home routing" (3GPP TR 23.840) will fix the problem all messages to your phone are routed to an SMS router in yourhome networkthat router will then deliver the message to your phoneMAP-SEND-ROUTING-INFO-FOR-SM only returns the ISDNnumber of the SMS router instead of the IMSI, a random "correlation id" will be returned operators will implement this to–prevent fraud–enable "VAS"–enable "lawful interception" of SMS sent to you when you are inanother countryLocating mobile phones using SS723

SMS "home routing" (3GPP TR 23.840)Home network (HPLMN)SS7Visited network (VPLMN)SMSRouterHome DB(HLR)Switch(MSC)VisitorDB (VLR)Radiointerface(BSS)123456789*0#MAP SEND MAP SEND ROUTINGROUTINGINFO FOR SM (1)INFO FOR SM MAP SEND ROUTING(1)INFO FOR SM (2)MAP SEND ROUTINGINFO FOR SM Ack (2)MAP SEND ROUTINGINFO FOR SM Ack (1)MAP MT FORWARDSHORT MESSAGEMAP MTFORWARDSHORTMESSAGELocating mobile phones using SS7Message transfer24

I don't want to be located - what can I do? (2/2) until home routing is in use: some networks offer multiple SIMs for one phone number and usean SMS router to decide which SIM will receive the SMS (e.g. o2Germany) let your operator block incoming SMS for your phone number switch your phone offLocating mobile phones using SS725

What's next: Optimal routeing Specified in 3GPP TS 23.079makes it possible to route calls directly to the network you arecurrently logged intothis can only work if the entity that sets up the call has a way offinding out, which MSC you are currently using. OR is currently not widely in use charging issues have to be worked outLocating mobile phones using SS726

Call setup with Optimal RouteingHome network(HPLMN)SS7Home DB(HLR)MAP SENDROUTINGINFORMATIONMAP SENDROUTINGINFORMATION AckVisited network (VPLMN)Switch(MSC)VisitorDB (VLR)Radiointerface(BSS)123456789*0#MAP PROVIDEROAMING NUMBERMAP PROVIDEROAMING NUMBERAckIAMSETUPLocating mobile phones using SS727

Questions?Locating mobile phones using SS728

References Signalling System #7, ITU-T Q.700 series:http://www.itu.int/rec/T-REC-Q/eMobile Application Part (MAP) specification, 3GPP TS 29.002:http://www.3gpp.org/ftp/Specs/archive/29 series/29.002/Reverse-Engineering für Ortsfremde, Datenschleuder #77 (Seite 26):http://ds.ccc.de/pdfs/ds077.pdfLeichtes Spiel mit symboltables, Datenschleuder #86 (Seite dy into routeing of MT-SMs via the HPLMN, 3GPP TR 23.840:http://www.3gpp.org/ftp/Specs/archive/23 series/23.840/Support of Optimal Routeing (SOR), 3GPP TS 23.079:http://www.3gpp.org/ftp/Specs/archive/23 series/23.079/Locating mobile phones using SS729

Locating mobile phones using SS7 3 Mobile Application Part (MAP) part of SS7 that specifies additional signalling that is required for mobile phones to work (roaming, SMS, etc.) standardized in 3GPP TS 29.002 in order for two network operators to talk MAP to each other they usually need a roaming agreement

Related Documents:

AUTOMATIC NUMBER PLATE RECOGNITION TECHNOLOGY 4 2.1. PLATE LOCATING Plate locating technology does not rely on the plate color or character structure, and can locate monolayer (single section) and bilayer (dual section) plates. The plate locating procedure consists of rough locating, false plate filtering, fine locating, and post processing.

CONTENT NOTES A. INTRODUCTION TO MOBILE PHONES AND SERVICE PROVIDERS 1. Mobile phones acronyms and terminologies 2. Mobile phone bands and their uses 3. Types of mobile phones 4. Phone accessories and their functions 5. Types of menus and sub-menus 6. Service providers and their codes B. BASIC COMPUTER AND INTERNET CONCEPTS. 1.

SIP SIP phones Blustar 8000i NA SIP SIP phones 9112i, 9133i, 480i Not Supported SIP SIP phones 673xi ( A673xi), 675xi ( A675xi) NA SIP SIP phones 6735i, 6737i ( A6735i, A6737i) NA SIP SIP phones 6739i NA SIP SIP phones 6863i, 6865i, 6867i NA SIP MiVoice Conference phone (UC360

Get the latest updates on mobile phones, mobile phones reviews, mobile phones . ASUS ROG Phone 5 will be released on 30 April in Singapore, available for . Galaxy S21 FE may be released in August to fill the gap left by Note series . Huawei Mobile Assistant latest version can recognize HarmonyOS 2.0.

Top 5 budget mobile phones 1. Xiaomi Redmi Note 7S 2. Xiaomi Redmi Note 7 3. Samsung Galaxy M20 4. Asus ZenFone Max Pro M2 5. Realme U1 Student's preference to purchase mobile phone PercenMobile phone features, size and colour durability and reliability of mobile phones portability of mobile phone brands

The major metals content of mobile phones has been analyzed since the initial growth of the industry, and updates continue to become available. Data from earlier generation phones (pre-1997) is shown in Table 1. Major Metals Content of Mobile Phones Copper (Cu) 49.0% Zinc (Zn) 21.8% Iron (Fe) 11.6% Nickel (Ni) 6.5% Aluminum (Al) 5.5% Lead (Pb) 1.9%

Lesson 1 – Telephone English Phrases First let's learn some essential telephone vocabulary, and then you’ll hear examples of formal and informal telephone conversations. There are different types of phones: cell phones or mobile phones (a cell phone with more advanced capabilities is called a smartphone) pay phones or public phones

Engineering (Signalling) Procedure ESD-25-01 CAD & Drafting Manual for Signalling Drawings Contents Version 1.2 Date of last revision: 13 August 2010 Page 3 of 65 This document is uncontr

Dynamics of multiple signalling systems: animal communication in a world in flux Jakob Bro-Jørgensen Mammalian Behaviour & Evolution Group, Faculty of Health and Life Sciences, University of Liverpool, Leahurst Campus, Neston, CH64 7TE, UK The ubiquity of multiple signalling is a long-standing puzzle

Mobile Phones and †Agricultural Markets in Niger By Jenny C. Aker* Price dispersion across markets is common in developing countries. Using novel market and trader-level data, this paper provides esti-mates of the impact of mobile phones on price dispersion across grain markets in Niger. The introduction of mobile phone service

Students were concerned about the use of mobile phones to cheat. Research supports their concerns. CommonSense Media (2009) found that 35% of students admitting using their mobile phones for this purpose. Students in a 2011 study expressed concern that mobile phones can potentially give students an unfair advantage

Within South Africa research done by Kreutzer (2009) focused on the use of mobile phones by low-income youth. Apart from a study by Chigona, Kamkwenda and Manjoo (2008) which focused on the use of mobile Internet, no definitive literature on how South African University students use and perceive mobile phones has been found.

education goals. Specifically, the study sets out to: 1. Evaluate the frequency in which Nigerian private university students are involved in PBL 2. Determine the number of students that have and use mobile phones 3. Document mobile phone services available in the mobile phones students enrolled in Nigerian private universities use 4.

Tor On Maemo And The Nokia N900 Orbot: Tor On Android Mobile Tor: Tor On The iPhone. Mobile Phones (In)Security. Mobile Phones Growth Computational power High speed data networks “Real” operating system. Phones Are Personal Raise hand who

exclusively on mobile phones. Android 2.x releases were mostly used for mobile phones but also some tablets. Android 3.0 was a tablet-oriented release and does not officially run on mobile phones. While both phone and tablet compatibility was merged to Android 4.0. The current Android version is7.1 Nougat.

Mobile phones help keep us and our kids safe. A Parent's uide to obile Phones 6 Today's mobile ecosystem means shared responsibility The mobile ecosystem now has many moving parts, each of which has a role to play in cellphones users' safety, privacy and security. In addition to the service

the mobile phones, some of which are known to cause nosocomial infections. The study also demonstrated that the microorganisms isolated from both the mobile phones and the hands of the healthcare workers were similar. (Another important finding was that 89.5% of the participants never cleaned their mobile phones.)

Mobile phones were among the few technologies which spread so rapidly in the world. People use cell phones for different purposes. Firstly cell phones were considered a tool to help in business but now they are more helpful in social lives of people as well as in business field. According to a survey in 2001 by

and non-smart mobile phones currently available in Cambodia; to determine the penetration rates of these phones; to assess the level of actual usage of Khmer script in Khmer-enabled phones; to learn which models are being used to access the Internet/Facebook; and to chart changes in these factors over the course of

The facts and extensive procedural history of Albert Woodfox’s case have been recounted time and again, but they bear repeatingsince they factored into theunconditional writ granted by the district court On April 17, 1972, . Correctional Officer Brent Millerof the Louisiana State Penitentiary in , Angola, Louisiana, was found murderedin the prison dormitory , havingbeen stabbed 32 times. The .