Uncovering Global Telecom Exploitation by Covert Surveillanc...

src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

@@ -1,4 +1,4 @@
-# Telecom Network Exploitation (GTP / Roaming Environments)
+# Telecom Network Exploitation (GTP / SS7 / Diameter / Roaming Environments)
 
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -378,6 +378,62 @@ Watch for 401/403 bypasses and crashes in SMF/AMF pods; patched free5GC builds r
 
 ---
 
+## 13. Roaming Signalling Surveillance: SS7, Diameter, and SIM-triggered tracking
+
+Modern roaming surveillance is usually not a single software bug. It is an abuse of the trust model that lets mobile operators, roaming hubs, SMS providers, MVNEs, and IPX/GRX carriers exchange traffic so that subscribers can travel and still receive service. Once an actor has access to that private signalling ecosystem, their requests may look like normal roaming traffic even when they are being sent for surveillance.
+
+The important mental model is that the attacker is not necessarily "inside" the victim operator. They may be using a leased Global Title, a third-party messaging provider, a roaming partner, a compromised telecom node, or a commercial platform that already has signalling connectivity. From there, they try to make SS7 or Diameter messages appear to come from operators that the victim network is more likely to trust.
+
+### 13.1 Combined-attach pivoting between SS7 and Diameter
+Many operators still run 3G and 4G roaming at the same time. With **combined attach**, a subscriber can be registered in both worlds so that voice, SMS, data, and fallback services keep working. That operational convenience gives attackers more than one protocol path to test. If an SS7 firewall blocks a location query, the same actor may quickly switch to Diameter. If Diameter controls are stricter, they may fall back to SS7.
+
+In the Citizen Lab case study, this looked like an attacker trying `sendRoutingInfoForSM` first to map a phone number (`MSISDN`) to a subscriber identity (`IMSI`), then sending `provideSubscriberInfo` to ask for subscriber state and approximate location, then moving to Diameter `Insert-Subscriber-Data-Request` messages with location-related attributes. After repeated failures, the actor returned to SS7 and escalated to `anyTimeInterrogation`, a more explicit location-tracking operation.
+
+For defenders, the lesson is that SS7 and Diameter logs should not be reviewed as separate worlds. The suspicious pattern is the same target subscriber being touched through both protocols in a short period, especially when the apparent source operator changes several times. Source rotation is often a sign that the actor is searching for a trusted path through uneven firewall rules.
+
+### 13.2 SS7 roaming abuse: GT spoofing, alternate entry paths, and OPC mismatch analysis
+SS7 messages are routed with **Global Titles (GTs)**. A GT is a signalling address for a network node; it is not the subscriber's phone number, even though it can look phone-number-like. Transit nodes called **Signalling Transfer Points (STPs)** move these messages across the international signalling backbone, and the **Originating Point Code (`OPC`)** identifies the point code of the node that handed the message to the next hop.
+
+The weakness is that old SS7 routing was designed for a trusted operator community and does not strongly prove that the claimed source really sent the message. An attacker can therefore send location-related operations that appear to come from a legitimate operator GT. Commonly abused operations include `sendRoutingInfoForSM` for IMSI discovery, `provideSubscriberInfo` for subscriber state and location-related fields, and `anyTimeInterrogation` for more direct location tracking.
+
+A practical way to explain the `IR.21` check is: `IR.21` says which interconnect providers an operator is expected to use, while `OPC` shows where a message actually entered or traversed the SS7 backbone. If a GT belonging to operator A repeatedly arrives through an `OPC` assigned to an unrelated provider, that mismatch may reveal a third-party injection path, leased GT usage, or a surveillance platform hiding behind another carrier relationship.
+
+Useful hunting fields are the calling-party GT, called-party GT, `OPC`, `DPC`, MAP operation, target `IMSI`/`MSISDN`, and any returned location fields such as Cell ID, LAC, MCC, or MNC. Build an allowlist from expected `IR.21` interconnects, enrich `OPC` values with ITU ISPC ownership, and alert when a claimed operator identity repeatedly enters through an unexpected first-hop provider.
+
+### 13.3 Diameter header spoofing and route steering
+Diameter, used heavily in 4G and many roaming environments, was designed with better security options than SS7, including TLS, IPsec, and peer authentication. The problem is deployment reality: many roaming networks still trust peer metadata and do not consistently verify that the hostname, realm, certificate, route, and roaming agreement all describe the same real operator relationship.
+
+The key fields are `Origin-Host`, `Origin-Realm`, `Destination-Realm`, and `Route-Record`. `Origin-Host` identifies the node that claims to have originated the message. `Origin-Realm` identifies the claimed sender network and is used in routing decisions. `Destination-Realm` points to the target operator realm. `Route-Record` records relay nodes along the path so replies can follow the expected route back.
+
+Abuse happens when those identifiers are made plausible but inconsistent. For example, a request may use an `Origin-Host` that looks like one operator while the `Origin-Realm` belongs to another, or a `Route-Record` may force the answer path through infrastructure useful to the attacker. In Citizen Lab's reporting, this kind of manipulation was used to steer surveillance messages through selected interconnect providers and to make traffic appear more trustworthy to the receiving network.
+
+When hunting, treat mismatched `Origin-Host` and `Origin-Realm` as the Diameter equivalent of source spoofing. Also compare `Route-Record` values with known IPX providers from `IR.21`, DNS, and BGP data. A single odd message may be a routing mistake, but repeated mismatches targeting the same `IMSI` or reusing the same command template across many operator identities should be investigated as coordinated signalling abuse.
+
+### 13.4 Fingerprinting centralized surveillance tooling from signalling artefacts
+Cross-network campaigns often look noisy because the apparent source operator changes. The trick is to cluster the parts of the traffic that are generated by the attacker platform itself. If many unrelated operator identities produce near-sequential SS7 transaction identifiers (`TIDs`), that suggests one backend is generating requests and merely swapping the outer identity.
+
+Diameter gives similar fingerprints. Non-standard `Session-Id` formats, especially repeated patterns like `origin-host;timestamp;local-id`, can reveal a custom implementation. Citizen Lab observed actors using unusual `Session-Id` patterns, including one case where the target `IMSI` was embedded directly in the value so the platform could correlate replies for a specific device.
+
+Template reuse is also important. If the same AVPs, flags, location options, malformed values, and timing patterns appear across many claimed operators, the operator identities may be costumes while the generation logic stays stable. These artefacts are useful because attackers can rotate GTs, hostnames, and transit providers more easily than they can rebuild the surveillance platform that creates the messages.
+
+### 13.5 Hidden SMS to SIM/UICC as a covert tracking primitive
+Tracking does not always require malware in Android or iOS. Some attacks target the SIM/UICC, which is a small smart card with its own applications and command processing. A specially formatted binary SMS can be addressed to the SIM rather than to the user's normal messaging app, so the phone may not display it, store it in the inbox, or make the user aware that anything arrived.
+
+The most important public example is **SIMjacker**, which abuses the S@T Browser, a SIM Toolkit application present on some SIM cards. In the Citizen Lab STA2 case, a binary `mt-ForwardSM` message carried commands intended for the SIM. The decoded flow attempted to ask the phone for local network information, such as cell and location-area data, and then send the result back by SMS to attacker-controlled infrastructure.
+
+At a beginner-friendly level, think of this as moving the attack surface below the phone operating system. The app layer may be clean, and there may be no spyware process to find, because the instruction was processed by the SIM toolkit environment. That is why network-side evidence matters so much: SMS firewall logs, SS7 traces, and Diameter traces may be the only durable artefacts.
+
+For pentesting and detection, inspect for binary or non-user-displayable SMS sent with SIM/OTA-style headers, especially `TP-PID = 127` and binary `TP-DCS` values such as `0x16` where visible in telemetry. Correlate those deliveries with later SS7 `PSI`/`ATI` or Diameter `AIR`/`IDR` activity against the same `IMSI`. A suspicious SMS followed by signalling location queries is a stronger signal than either event on its own.
+
+### 13.6 Hunt checklist
+Start from the target identifier, not only from the source network. Cluster `SRISM`, `PSI`, `ATI`, Diameter `AIR`, and Diameter `IDR` events that touch the same `IMSI` or `MSISDN` inside a narrow time window. Then look outward for source rotation, protocol switching, and repeated parameters.
+
+Compare SS7 `OPC` and Diameter `Route-Record` paths with the operator's declared `IR.21` interconnects. Alert when a claimed operator identity enters through an unexpected provider, when `Origin-Host` and `Origin-Realm` belong to different operator identities, or when one backend appears to reuse the same `Session-Id` style and AVP template across many networks.
+
+Finally, correlate SMS and signalling logs. A hidden or binary SMS that immediately precedes location-query bursts against the same subscriber should be investigated as possible SIM-triggered tracking, even when there is no handset malware indicator.
+
+---
+
 ## Detection Ideas
 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
@@ -387,6 +443,10 @@ Watch for 401/403 bypasses and crashes in SMF/AMF pods; patched free5GC builds r
 6. 5G: **NAS Security Mode negotiating EEA0/EIA0** outside emergency contexts.
 7. PFCP: **Session Modification carrying duplicate PDR IDs or sudden FAR redirection to off-net IPs**.
 8. SBA: **NRF issues tokens whose `aud` does not match the called NF** – indicative of Cross-Service Token replay.
+9. SS7/Diameter: **the same subscriber queried via `SRISM` / `PSI` / `ATI` and Diameter `IDR` across short time windows**.
+10. SS7: **GTs entering through first-hop `OPC`s that do not match the operator's `IR.21` providers**.
+11. Diameter: **mismatched `Origin-Host` / `Origin-Realm` or suspicious `Route-Record` paths**.
+12. SIM tracking: **binary/hidden SMS immediately preceding location-query bursts against the same IMSI/MSISDN**.
 
 ## References
 
@@ -401,5 +461,8 @@ Watch for 401/403 bypasses and crashes in SMF/AMF pods; patched free5GC builds r
 - [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
 - [Cross-Service Token in 5G Core (API Security Blog)](https://api-security.blog/2025/09/12/cross-service-token-finding-attacks-in-5g-core-networks/)
 - [PFCP Session Modification Hijack in OAI UPF](https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-upf/-/issues/33)
+- [Citizen Lab - Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors](https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/)
+- [RFC 6733 - Diameter Base Protocol](https://www.rfc-editor.org/rfc/rfc6733)
+- [Enea - Simjacker: Next Generation Spying via SIM Card Vulnerability](https://www.enea.com/insights/simjacker-next-generation-spying-over-mobile/)
 
 {{#include ../../banners/hacktricks-training.md}}