The mobile switching center MSC normally holds the encryption keys used by each subscriber to be able to establish the call. When the subscriber is on the move, a handover process facilitates the smooth transition of the subscriber between the different radio cells while maintain the call progress.
In some cases the subscriber moves from one cell to another that is managed by a different VLR. In this case, the new VLR does not initially have the authentication information that would facilitate preserving the call, hence an inter MSC handover process is needed to transfer the keys to the new MSC.
This is done through a MAP message called sendIdentification. The new VLR sends a sendIdentification message to the old VLR, which in turn responds with the keys needed to maintain the ongoing call. Among these keys are the key used to encrypt the traffic over the air. In the attack scenario the attacker captures the targets traffic over the air interface (requiring physical proximity from the target).
With access to SS7, he can then use the sendIdentification message to retrieve the decryption keys for the target and use it to decrypt the traffic. The sendIdentification is only needed within the internal network during
handovers. It should have no legitimate usage from outside and hence should be filtered on the border.
Intercepting Outgoing Calls
The GSM Service Control Function (gsmSCF) is a functional entity that contains the CAMEL service logic that decides for certain for a certain set of events if the desired action can continue modified, unmodified or aborted. It can be for example used to modify outbound numbers to add the area code or international format.
An attacker with access to SS7 can use an insertSubscriberData message to change the subscriber’s gsmSCF address to an address under their control. The attacker is then able to re-write outbound dialed numbers to a number under his control. In this case the attacker will receive the outbound call, record the call before forwarding the traffic to the final destination.
Interception – Incoming Traffic – Call forwarding
The registerSS message is used to register supplementary services to a subscriber. One of these services is the call forwarding service. An attacker can use the registerSS message to enable call forwarding to a number under his control. Upon receiving the call, the attacker then uses eraseSS message to remove the call forwarding and then forward the call back to the subscriber. In this way the attacker is able to intercept and record the call.