1. Field of the Invention
The invention relates to a method and a device for securing a Signalling System No. 7 Interface, SS7 Interface, which allows access to a local mobile radiocommunications network, in relation to an external system.
2. Description of the Related Art
Signalling System No. 7 (referred to below as SS7) was standardised in the 70s by the ITU and serves as a switching protocol to set up telephone connections.
SS7 is a collection of protocols and methods for signalling in telecommunications networks.
It is used in the public telephone network, in conjunction with ISDN, fixed-line and mobile radiocommunications networks and, since approximately 2000, also increasingly in VoIP networks. In VoIP networks, SS7 is only used in conjunction with Media Gateway controllers. The protocol collection is also known under other names such as Signalling System Number 7, Signalling System No. 7, Central Signalling System No. 7, ZZS7, CCITT Signalling System No. 7, Central Signalling System #7 and C7.
Detailed proposals for the implementation of national and international signalling networks are being developed by the ITU-T (earlier known as CCITT) under the designation “ITU-T Recommendation Q.xxx” in series Q.600 and Q.700. The proposals are translated by normative organisations such as ETSI (European Telecommunication Standardisation Institute) or ANSI (American National Standardisation Institute) and by IETF (Internet Engineering Task Force) by RFCs into binding standards.
SS7 is now the most common and often the only signalling system in national and international telecommunications networks. As a result of this popularity, various protocols of the SS7 sequence have been specified, developed and used for SS7oIP (Signaling System Over Internet Protocol).
Telecommunications devices such as switching devices or gateways operate with SS7 protocol sequences which are adapted to the national standards or requirements of the individual service providers. Like the majority of ITU-T recommendations, the Q.600 and Q.700 series have a very variable structure and allow a plurality of variations. Therefore, in contrast to the example of IP, there is no standardised SS7 protocol stack, but rather specific implementations.
SS7 is a central signalling system or “Common Channel Signalling System”. A separate channel in a transmission system (normally a multiplex system) transmits the signalling information for all user channels (bearer channels) or telephone channels. This signalling information can contain, for example, information about called or calling numbers, charges, busy, call number unknown, etc.
SS7 is a highly efficient protocol which manages with comparatively small amounts of data in comparison to other types of communication.
In mobile communication networks, the signalling ratio is very high as a result of the mobility and the use of SMS. There are systems both in the fixed-line network, but above all in the mobile network, which have only signalling connections such as, for example, an SMS Center (SMSC).
SS7 provides methods for as rapid as possible troubleshooting and finding alternative paths. The switching times in the case of an error or in the event of a failure of a node are generally in the range of a few milliseconds.
The most important components of SS7 are recommendations which describe different partial aspects of the complex communication model (see FIG. 10):
MTP—Message Transfer Parts
MTP or Message Transfer Part describes how signalling information is transmitted. This includes definitions of the electrical or optical interfaces, details as to how individual messages are separated from one another and how individual switching devices or, to be precise, signalling points in the jargon of the ITU-T are addressed.
MTP Level 1 specifies the physical, electrical and functional parameters for a signalling link. This includes specifications such as clock rate, voltages, coding methods as well as the dimension and shape of the plug connector. Interfaces which correspond to the recommendations V.35 or G.703 are commonly used. Level 1 represents the bit transmission layer for a signalling link which, in a digital network, is normally composed of a 64-kbit/s channel.
MTP Level 2 specifies the methods for an error-free exchange of messages via a signalling link. This includes functions for activating or terminating the message connection, checking for errors and correcting them where necessary. The messages are separated from one another by flags. Level 2 is similar in structure to the frequently used HDLC procedure, but is expanded by several functions.
MTP Level 3 defines the interaction of several individual signalling links. All the aspects which are shared at a logistical level for the exchange of messages between two signalling points across several signalling links are dealt with. This includes passing on incoming messages to the desired signalling link. The separation of these functions in a separate level 3 also serves to administer the signalling network: Signalling links can be added or in the event of an error switched to a replacement path without the configuration having to be changed to higher, more abstract levels.
E1 LSL and HSL connections: E1 LSL have been used since the introduction of SS7. LSL (Low Speed Link) refers to the connections in which 64-kbit/s time slots are used. Since only 16 time slots can be shifted for each linkset, the bandwidth is correspondingly restricted. The results in a bandwidth of only 1 Mbit/s for each linkset. HSL (High Speed Link) has been specified for some time. HSL enables a bandwidth of 2 Mbit/s for each time slot which would produce a theoretical bandwidth of 32 Mbit/s for a linkset. HSL is used where the bandwidth with LSL is too small. Since, however, HSL is very expensive, HSL is only used if, for example, SS7oIP, the low-cost alternative, is not (yet) achievable as a result of an absence of connection possibilities in the network.
Linkset refers to the logical connection between two Signaling Point Codes (SPCs). Linksets are only used in the case of E1 connections, but not in the case of SS7oIP. The restriction to 16 time slots per linkset is not due to the missing bit for the SLC in ITU since the SLC (Signalling Link Code) only has 4 bits. However, 8 bits are available for the SLC in the ANSI standard, when then enables 256 time slots. If, however, more time slots (bandwidth) must be available between two pointcodes and HSL is not possible, a second linkset must be created. So that this can be enabled, a Capability Pointcode is set up in the Signalling Transfer Point (STP) which makes it possible to define a further linkset.
In the User Parts, the functions are described which are available to a user. These functions can be dependent on the service used (ISDN, analogue telephone, mobile radiocommunications) and are thus described separately. The most important User Parts are:
TUP Telephone User Part is the simplest User Part which only describes basic functions. This includes information such as establishing a connection (calling), terminating a connection (hanging up), busy or call number unknown.
ISUP ISDN User Part describes the functions which are available to ISDN users. This includes the description of the service or bearer capability as the most important element. ISDN makes it possible to operate various terminals such as telephone, fax or computer at the same connection. In the case of a connection in the ISDN, a description of the service type is always also transmitted so that only that terminal which also supports the desired service responds. As a result, it is, for example, prevented that a fax device attempts to start a speech connection if both terminals are ISDN-capable.
DUP Data User part is intended to transmit special information for data connections.
The most used part is currently ISUP.
Signalling Connection Control Part (SCCP) is a layer which is set at MTP Level 3 and enables an end-to-end signalling in the signalling network. Four service classes are available in the SCCP:
Class 0: Connection-free basic service: Longer messages can be split. Higher layers are then responsible for the correct composition of these parts
Class 1: Connection-free service with sequential numbers: This number (SLS-Code) is 4 or 8 bits long (ITU-T or ANSI standard). Associated messages use the same SLS code. If several connections (linkset) are used for one message, the sequential number differs in the lowest value bits.
Class 2: Connection-oriented basic service: The signalling connection must be established and disconnected.
Class 3: Connection-oriented basic service with flow control
Transaction Capabilities Application Part (TCAP) is based on SCCP and enables the protocols above it such as, for example, INAP, CAP, MAP and OMAP to communicate worldwide via the SS7 network. This is explained below.
The functions for intelligent networks (IN) are dealt with via Intelligent Network Application Part (INAP). This includes, among other things, call number portability (LNP Local Number Portability) or 0800 numbers which are passed on to the next central office depending on the location of the caller.
CAMEL Application Part (CAP) is used in mobile radiocommunications networks and serves the purpose of Customised Applications for Mobile networks Enhanced Logic (CAMEL).
MAP (Mobile Application Part) serves the purpose of communication between the various components of the mobile radiocommunications network (among others HLR, VLR, SMSC). The standard can also be used for communication between mobile radiocommunications networks of various providers and is thus one of the requirements for roaming functionality. By means of roaming, a mobile radiocommunications subscriber can log into third-party networks (for example, foreign mobile operators with a roaming contract or in order to be able to make emergency calls even if the mobile radiocommunications subscriber is not in the area of coverage of his/her own provider). The accounting-relevant components are transmitted by Transferred Account Procedure (TAP).
Short Messages (SMS) are also transmitted in the MAP in addition to the roaming and the control of speech connections. Moreover, functions for identifying the device type and the IMEI are also transmitted in the MAP so that mobile telephone-specific configurations can be transmitted by the mobile operator to the terminal.
Operations, Maintenance and Administration Part (OMAP) is a function for operation, maintenance and administration comprising, for example, software maintenance, configuration and setting up call number blocks for telephone mobile radiocommunications terminal.
The layer model can be inferred from FIG. 10
Originally intended for signalling in the case of fixed-line network connections, SS7 was extended in the 80s and 90s by a large number of add-ons to support mobile radiocommunications networks, in order to enable, for example, SMS, Roaming, Prepaid and data traffic. In the mean time, it is no longer only the state telecommunications companies which have access to SS7, but also thousands of smaller companies and providers worldwide.
A protocol part of SS7 which is responsible for transmitting mobile communication is SS7/MAP (Mobile Application Part). SS7/MAP is used both within the network structure of a mobile radiocommunications provider and in the communications of mobile radiocommunications providers with one another, e.g. for roaming. Points of attack by external SS7 users are now provided at this point as a result of the historic development of the SS7 protocol and as a result of inadequate implementation of protection mechanisms in network elements. These can be used in the case of mobile radiocommunications providers to carry out fraud, infringe the private sphere of the mobile radiocommunications customer or even to listen into mobile radiocommunications conversations and also represent a security risk for the internal SS7 signalling networks of the mobile radiocommunications providers.
The Mobile Application Part (MAP) is an SS7 protocol which provides an application layer for the various nodes in GSM and UMTS mobile core networks and GPRS core networks in order to communicate with one another in order to be able to provide services for mobile users. The Mobile Application Part is the application layer which is used to be able to access the Home Location Register (HLR), Visitor Location Register (VLR), Mobile Switching Center (MSC), Equipment Identity Register (EIR), Authentication Centre (AuC), Short Message Service Center (SMSC) and Serving GPRS Support Node (SGSN).
The key facilities which are provided by MAP:
Mobility Services: Location management (to support roaming), authentication, administering subscription information of services, troubleshooting.
Operation and maintenance: Mobile radiocommunications participant retracing, calling a mobile radiocommunications participant IMSI.
Call administration: Routing, processing calls during roaming, checking whether a mobile radiocommunications terminal is available to receive calls.
Additional services.
Short Message Service.
Packet data protocol (PDP) services for GPRS: Providing routing information for GPRS connections.
Location Service Management Services: Getting the location of the mobile radiocommunications terminals.
The Mobile Application Part specifications which were originally defined by the GSM Association are now controlled by ETSI/3GPP. MAP is defined by two different standards depending on the mobile network type:
MAP for GSM (prior to release 4) specified by 3GPP TS 09.02
MAP for UMTS (“3G”) and GSM (release 99 or higher) is specified by 3GPP TS 29.002
A similar protocol generally referred to as IS-41 or ANSI-41 (ANSI MAP) plays the role of MAP in mobile radiocommunications networks on the basis of ANSI standards (currently CDMA2000, in the last AMPS, IS-136 and cdmaOne). Since 2000, it is maintained by 3GPP2 as N.S0005 and has been called 3GPP2 X.S0004 since 2004.
MAP is a Transaction Capabilities Application Part (TCAP) user, and as such it can be transported with “traditional” SS7 protocols or via IP with transport-independent Signalling Connection Control Part (TI-SCCP) or with SIGTRAN.
In mobile radiocommunications telephone networks such as GSM and UMTS, the SS7 application MAP is used. Speech connections are Circuit Switched (CS) and data connections are Packet Switched (PS) applications. The mobile terminal is also named ME. SCF stands for Service Control Function.
Some of the GSM/UMTS Circuit Switched interfaces in the mobile switching point (MSC), which are transported via SS7, comprise the following:
B→VLR (uses MAP/B). The majority of MSCs are assigned to a visitor register (VLR) such that the B interface is “internal”.
C→HLR (uses MAP/C) the communications between MSC and HLR are dealt with by C interface
D→HLR (uses MAP/D) for connection to the CS network and for location updates
E→MSC (uses MAP/E) for inter-MSC relays
F→EIR (uses MAP/F) for device identity checks
H→SMSC (uses MAP/H) for Short Message Service (SMS) via CS
I→ME (uses MAP/I) Communications between MSC and ME which are dealt with by the I interface.
J→SCF (uses MAP/J) Communications between HLR and gsmSCF were dealt with by J-interface.
There are also several GSM/UMTS PS interfaces in the Serving GPRS Support Node (SGSN) which are transported via SS7:
Gr→HLR for connection of the PS network and location updating
Gd→SMS-C for SMS via PS
Gs→MSC for combined CS+PS signalling via PS
Ge→The fees for Customised Applications for Mobile networks Enhanced Logic, Camel, prepaid loading
Gf→EIR for the device identity check
The listed functions make no claim to be complete, rather only describe the functionality which is described in detail below.
Due to the plurality of components, different network providers and also manufacturers, attacks on the network infrastructure of the mobile radiocommunications providers can come about.