T1430.002 Impersonate SS7 Nodes
Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.65142
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.6
| Item | Value |
|---|---|
| ID | T1430.002 |
| Sub-techniques | T1430.001, T1430.002 |
| Tactics | TA0035, TA0032 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 05 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0602 | Circles | Circles can track the location of mobile devices.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1014 | Interconnection Filtering | Filtering requests by checking request origin information may provide some defense against spurious operators.3 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Flow |
References
-
3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016. ↩
-
Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017. ↩
-
Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016. ↩
-
Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016. ↩
-
Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016. ↩↩
-
Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020. ↩