## SS7: Locate. Track. Manipulate. ###### You have a remote-controlled tracking device in your pocket Tobias Engel @2b_as ----- ###### SS7: Locate Track Manipulate 2 ###### SS7: Locate Track Manipulate 2 ----- ##### Signalling System #7 ###### Protocol suite used by most telecommunications network operators throughout ### • ###### the world to talk to each other Standardized in the 1980s in ITU-T Q.700 series ### • ###### When it was designed, there were only few telecoms operators, and they were ### • ###### either state controlled or really big corporations “Walled Garden” approach: trusted each other, so no authentication built in ### • ###### SS7: Locate Track Manipulate ###### 3 ----- ##### Signalling System #7 today ###### New protocols added in the 1990s and 2000s by ETSI and 3GPP to support ### • ###### mobile phones and the services they need (roaming, SMS, data...) Mobile Application Part (MAP) ### • ###### Contains everything mobile phones need that is not call signalling ### ‣ ###### CAMEL Application Part (CAP) ### • ###### New protocol that allows the network operator to build custom services that ### ‣ ###### are not possible with MAP still no authentication for any of this ### • ###### SS7: Locate Track Manipulate ###### 4 ----- ##### Signalling System #7 today ###### Getting access is easier than ever ### • ###### Can be bought from telcos or roaming hubs for a few hundred euros a month ### ‣ ###### Usually (not always), roaming agreements with other networks are needed, ### ‣ ###### but some telcos are reselling their roaming agreements Some network operators leave their equipment unsecured on the internet ### ‣ ###### Femtocells are part of the core network and have been shown to be hackable ### ‣ ###### SS7: Locate Track Manipulate ###### 5 ----- ##### SS7 Procotol Stack ###### This talk Mobile Application Part: specifies additional signalling that is ISDN User Part: CAP MAP required for mobile phones (roaming, Call Control SMS, etc.) ###### required for mobile phones (roaming, ###### specifies additional signalling that is ###### Mobile Application Part: ###### ISDN User Part: ###### Call Control ###### TCAP ###### ISUP ###### CAP ###### Signalling Connection Control Part: network layer protocol, contains source and destination addresses for MAP messages ###### Signalling Connection Control Part: ###### source and destination addresses for ###### MTP Level 3 ###### SCCP ###### MAP ###### MTP Level 2 ###### network layer protocol, contains ###### SMS, etc.) ###### M2UA ###### MAP messages ###### MTP Level 2 ###### M2UA ###### SCTP ###### SCTP ###### MTP Level 1 ###### IP ###### SS7 transport over IP ###### MTP Level 1 ###### IP ###### Ethernet ###### SIGTRAN (example): ###### SS7: Locate Track Manipulate ###### Ethernet ###### 6 ----- ##### Network overview ###### MSC/ SMSC SMSC VLR SS7 SS7 SS7 interconnect HLR HLR Core Network Core Network This talk SS7: Locate Track Manipulate ###### SMSC ###### MSC/ VLR ###### MSC/ VLR ###### BSC/ RNC ###### HLR ###### Basestation Subsystem ###### Core Network ###### Carrier A ###### 7 ###### SMSC ###### MSC/ VLR ###### HLR ----- ##### Network overview ###### MSC/ SMSC SMSC VLR SS7 SS7 SS7 interconnect HLR HLR Core Network Core Network SS7: Locate Track Manipulate ###### SMSC ###### MSC/ VLR ###### MSC/ VLR ###### BSC/ RNC ###### HLR ###### on a subscriber: ###### Basestation Subsystem ###### Core Network ###### Carrier A ###### 8 ###### SMSC ###### MSC/ VLR ###### HLR ----- ##### Network overview ###### MSC/ SMSC SMSC VLR SS7 SS7 SS7 interconnect • HLR HLR • Core Network Core Network • • SS7: Locate Track Manipulate ###### SMSC ###### MSC/ VLR ###### MSC/ VLR ###### BSC/ RNC ###### HLR ###### on a subscriber: ###### Basestation Subsystem ###### Core Network ###### Carrier A ###### 9 ###### SMSC ###### MSC/ VLR ###### • HLR ----- ##### Network overview ###### +13123149810 MSC/ SMSC SMSC VLR +491710760000 SS7 SS7 SS7 interconnect HLR HLR +12404494085 +491700960314 Core Network Core Network Adressing by Global Title (looks like an international phone number) SS7: Locate Track Manipulate ###### Adressing by Global Title (looks like an international phone number) ###### SMSC ###### MSC/ VLR ###### MSC/ VLR ###### BSC/ RNC ###### HLR ###### Basestation Subsystem ###### Core Network ###### Carrier A ###### 10 ###### SMSC ###### MSC/ VLR ###### HLR ----- ##### Cell-Level Tracking ###### The network needs to know which base station (“cell”) is ### • ###### closest to the subscriber to deliver calls, SMS... If you can find out the ID of that cell, it’s geographical position ### • ###### can be looked up in one of several databases The location of the cell tower is also a good approximation of ### • ###### the subscriber’s location In cities, cell towers are so close that subscriber tracking down ### • ###### to street level is possible SS7: Locate Track Manipulate ###### 11 ----- ##### Commercial Tracking Providers ###### Several commercial providers offer cell-level tracking as service, claim ### • ###### coverage of about 70% of worldwide mobile subscribers (with some restrictions...) Only the MSISDN (phone number) is required to locate a subscriber ### • ###### SS7: Locate Track Manipulate ###### 12 ----- ##### Cell Level Tracking with SS7/MAP ###### MAP’s anyTimeInterrogation (ATI) service can query the subscriber’s HLR for ### • ###### her Cell-Id and IMEI (phone serial number, can be used to look up phone type) Home Visited network network MSC/ HLR VLR anyTimeInterrogation req provideSubscriberInfo Paging Request req provideSubscriberInfo Paging Response resp anyTimeInterrogation resp SS7: Locate Track Manipulate ###### HLR ###### network ###### 13 ###### MSC/ VLR ###### Visited network ###### Home ----- ##### Cell Level Tracking with SS7/MAP ###### Only meant as a network-internal service (e.g. to implement “home zones”). ### • ###### External networks should not be able to invoke it but still... ### • ###### 14 ###### SS7: Locate Track Manipulate ----- ##### Cell Level Tracking with SS7/MAP ###### Many networks actually block ATI by now ### • ###### Home Visited network network MSC/ HLR VLR anyTimeInterrogation req returnError ati-not-allowed SS7: Locate Track Manipulate ###### network ###### 15 ###### MSC/ VLR ###### Visited network ###### Home ----- ##### Cell Level Tracking with SS7/MAP ###### Instead, query the MSC/VLR directly • But MSC/VLR use IMSIs (International Mobile Subscriber Identifiers), not phone • numbers, to identify subscribers ask the HLR for the subscriber’s IMSI and Global Title of the current MSC/VLR • Home Visited network network MSC/ HLR VLR sendRoutingInfoForSM req sendRoutingInfoForSM resp SS7: Locate Track Manipulate ###### network ###### 16 ###### MSC/ VLR ###### Visited network ###### Home ----- ##### Cell Level Tracking with SS7/MAP ###### When the attacker knows the IMSI of the subscriber and the Global Title, the ### • ###### MSC/VLR can be asked for the cell id of the subscriber Home Visited network network MSC/ HLR VLR sendRoutingInfoForSM req sendRoutingInfoForSM resp provideSubscriberInfo req Paging Request Paging Response provideSubscriberInfo resp SS7: Locate Track Manipulate ###### network ###### 17 ###### MSC/ VLR ###### Visited network ###### Home ----- ##### Cell Level Tracking with SS7/MAP ###### Works for a lot of ### • ###### networks Most VLR/MSC accept ### • ###### requests from anywhere no plausibility checks ### • ###### SS7: Locate Track Manipulate ###### 18 ----- ##### Real-life tracking ###### We tracked some folks (but only after asking for permission) ### • ###### For about two weeks, cell id was queried once per hour ### • ###### Many, many thanks to Sascha for his work on the maps! ### • ###### SS7: Locate Track Manipulate ###### 19 ----- ##### Observations of a German network operator ###### The Operator started filtering all network-internal messages at the network’s ### • ###### borders This (combined with SMS home routing, which the operator has in place) ### • ###### essentially eliminated the simple form of tracking as seen before Attack traffic dropped more than 80%: ### • ###### Some of that traffic was due to misconfiguration at other networks ### ‣ ###### Commercial use cases: ### ‣ ###### a shipping company was tracking its vehicles ### ###### an SMS service provider for banks who use text messages as a second ### ###### form of authentication (mTAN) was using the MAP sendIMSI request to find out if the SIM was recently swapped SS7: Locate Track Manipulate ###### 20 ----- ##### Observations of a German network operator ###### Some of the network operators where the attacks originated either did not ### • ###### respond or played dumb when the issue was addressed by the German operator The operator believes that those attacks are being performed by state actors or ### • ###### the other network’s operators themselves Some attacks are still happening, which requires other information sources or ### • ###### brute-forcing to get VLR/MSC and IMSI SS7: Locate Track Manipulate ###### 21 ----- ##### Location Services (LCS) ###### In the US, E911 mandates: “Wireless network operators must provide the ### • ###### latitude and longitude of callers within 300 meters, within six minutes of a request by a Public Safety Answering Point” LCS can use triangulation to further narrow down a subscriber’s position or ### • ###### even request a GPS position from the phone (via RRLP) Emergency services request a subscriber’s location from the Gateway Mobile ### • ###### Location Center (GMLC) GMLC requires authentication ### • ###### SS7: Locate Track Manipulate ###### 22 ----- ##### Location Services (LCS) ###### 3GPP TS 23.271 version 11.2.0 Release 11 66 ETSI TS 123 271 V11.2.0 (2013-04) HLR/ VMSC/ Client GMLC UE E.g. police HSS MSC SERVER RAN 1. LCS Service Request 2. Provide Subscriber Location 3. Location Request Requires authentication ###### RAN ###### Figure 9.3: Positioning for a Emergency Services MT-LR without HLR Query SS7: Locate Track Manipulate ###### 23 ----- ##### Location Services (LCS) ###### 3GPP TS 23.271 version 11.2.0 Release 11 66 ETSI TS 123 271 V11.2.0 (2013-04) HLR/ VMSC/ Client GMLC UE E.g. police HSS MSC SERVER RAN 1. LCS Service Request 2. Provide Subscriber Location 3. Location Request Requires authentication ###### RAN ###### Figure 9.3: Positioning for a Emergency Services MT-LR without HLR Query SS7: Locate Track Manipulate ###### 24 ----- ##### Location Services (LCS) ###### Authentication at the GMLC can also be circumvented by directly querying the ### • ###### VLR Home Visited network network MSC/ HLR VLR sendRoutingInfoForSM req sendRoutingInfoForSM resp provideSubscriberLocation req RRLP Requests provideSubscriberLocation resp SS7: Locate Track Manipulate ###### HLR ###### network ###### 25 ###### MSC/ VLR ###### Visited network ###### Home ----- ##### Verifying the sender, MAP-style ###### CAP MAP ###### MAP ###### TCAP ###### TCAP ###### SCCP ###### SCCP ###### Routing of MAP messages ### • ###### happens in the SCCP layer Requests get routed to the ### • ###### “Called Party Address” (e.g. the address of an VLR) Responses will be sent back to ### • ###### the “Calling Party Address” from the request SS7: Locate Track Manipulate ##### Verifying the sender, MAP-style ###### CAP ###### 26 ----- ##### Verifying the sender, MAP-style ###### Problem: ### • ###### SCCP doesn’t know anything ### • ###### about MAP or what entities should be able to use which MAP services “Solution”: ### • ###### Have the sender(!) put another ### • ###### copy of its “Calling Party Address” in an extra field in the MAP layer, so it can be verified Routing will still happen to ### • ###### addresses from the network layer SS7: Locate Track Manipulate ###### Response will be routed to this address This address gets verified ###### 27 ----- ##### Verifying the sender, MAP-style ###### If we tell the truth: ### • ###### Same address SS7: Locate Track Manipulate ###### 28 ###### Same address SS7: Locate Track Manipulate ----- ##### Verifying the sender, MAP-style ###### If we enter an address from the same network that we sent the request to: ### • ###### Similar addresses Response still gets routed back to this address SS7: Locate Track Manipulate ###### 29 ###### Similar addresses Response still gets routed back to this address SS7: Locate Track Manipulate ----- ##### Denial of Service ###### It is not only possible to read subscriber data - it can also be modified, since ### • ###### most network’s VLR/MSC don’t do any plausibility checks Control every aspect of what a subscriber is allowed to do: enable or disable ### • ###### incoming and/or outgoing calls / SMS or data or delete the subscriber from the VLR altogether Visited network MSC/ VLR Get IMSI / VLR address from HLR insertSubscriberData req deleteSubscriberData req / cancelLocation req ## X ###### SS7: Locate Track Manipulate |MSC/ VLR Get IMSI / VLR address from HLR insertSubscriberData req deleteSubscriberData req / cancelLocation req|Col2| |---|---| |Get IM address f|SI / VLR rom HLR| ||| ## X ###### MSC/ VLR ###### 30 ###### Visited network ----- ##### CAMEL ###### ??? “Customised Applications for Mobile networks Enhanced Logic” ### • ###### Specified in 3GPP TS 23.078 ### • ###### Like an overlay over usual MAP logic ### • ###### Defines a set of events, for which the VLR should contact the CAMEL entity in ### • ###### the subscriber’s home network (gsmSCF = “GSM Service Control Function) The gsmSCF then decides if the desired action can continue unmodified or ### • ###### modified or will be aborted SS7: Locate Track Manipulate ###### ??? Logic” ###### 31 ----- ##### CAMEL ###### Example: German subscriber is roaming in France ### • ###### German HLR tells French VLR “notify my gsmSCF at address +4917... ### • ###### whenever the subscriber wants to make a call” Home network Visited network gsm MSC/ HLR SCF VLR insertSubscriberData req with gsmSCF address and list of events to report (“Detection Points”) SS7: Locate Track Manipulate ###### MSC/ VLR ###### gsm SCF ###### Visited network ###### 32 ###### HLR ###### Home network ----- ##### CAMEL ###### Subscriber wants to make a phone call, but dials number in German national format • (0317654...) MSC asks gsmSCF in home network what to do with the call • gsmSCF rewrites number to international format (+49317654...) and tells MSC to continue with • the new number Home network Visited network gsm MSC/ HLR SCF VLR Setup initialDP 0317654... 0317654... connect +49317654... Call setup to rewritten number SS7: Locate Track Manipulate ###### MSC/ VLR ###### gsm SCF ###### Visited network ###### 33 ###### HLR ###### Home network ----- ##### Intercepting calls with CAMEL ###### Attacker overwrites gsmSCF address in subscriber’s MSC/VLR with it’s own, ### • ###### “fake gsmSCF” address Caller network MSC/ VLR insertSubscriberData req with address of attacker as gsmSCF SS7: Locate Track Manipulate ###### Caller network ###### 34 ###### MSC/ VLR ----- ##### Intercepting calls with CAMEL ###### Subscriber wants to call +345678..., but the MSC now contacts the attacker ### • ###### instead of the subscriber’s gsmSCF Caller network +345678... +210987... MSC/ VLR Setup initialDP +345678... +345678... SS7: Locate Track Manipulate ###### +345678... ###### +345678... ###### 35 ###### MSC/ VLR ###### +210987... ###### +345678... ----- ##### Intercepting calls with CAMEL ###### Attacker rewrites number to +210987..., his recording proxy (e.g. an Asterisk ### • ###### PBX) Caller network +345678... +210987... MSC/ VLR Setup initialDP +345678... +345678... connect +210987... SS7: Locate Track Manipulate ###### +210987... ###### +345678... ###### +210987... ###### 36 ###### MSC/ VLR ###### +210987... ###### +345678... ----- ##### Intercepting calls with CAMEL ###### MSC sets up call to +210987..., which bridges it to the original +345678... ### • ###### Both subscribers can talk to each other, while the attacker records the ### • ###### conversation Caller network +345678... +210987... MSC/ VLR Setup initialDP +345678... +345678... connect +210987... Voicecall to +210987... Voicecall to +345678... SS7: Locate Track Manipulate ###### +210987... ###### Caller network ###### +210987... ###### +345678... ###### +210987... ###### 37 ###### MSC/ VLR ###### +210987... ###### +345678... ----- ##### HLR: Location Update ###### When a subscriber travels to another region or country, the VLR/MSC sends a ### • ###### MAP updateLocation request to the subscriber’s HLR Home Visited network network MSC/ HLR VLR Location Updating Request updateLocation req SS7: Locate Track Manipulate ###### MSC/ VLR ###### network ###### Home network ###### 38 ###### HLR ###### Home ----- ##### HLR: Update Location ###### The HLR sends a copy of the subscriber’s data to the VLR/MSC and saves the ### • ###### address of the VLR/MSC Home Visited network network MSC/ HLR VLR Location Updating Request updateLocation req Saves MSC/VLR address insertSubscriberData req SS7: Locate Track Manipulate |Visited network Home network|Col2| |---|---| |MSC/ HLR VLR Location Updating Request updateLocation req Saves MSC/VLR address insertSubscriberData req|| |Saves MSC/|VLR address| |in|| ###### MSC/ VLR ###### network ###### Home network ###### 39 ###### HLR ###### Home ----- ##### HLR: Update Location ###### Now, when somebody wants to call or text the subscriber, the HLR gets asked for #### • ###### routing information (sendRoutingInfo...) and hands out the address of the VLR/ MSC Some Home Visited network network network MSC/ SMSC HLR VLR sendRoutingInfoForSM req sendRoutingInfoForSM resp mt-forwardSM req SMS-DELIVER SS7: Locate Track Manipulate ###### SMSC ###### HLR ###### Visited network ###### network ###### Home ###### 40 ###### MSC/ VLR ###### network ###### Some ----- ##### HLR: Stealing Subscribers ###### The updateLocation procedure is also not authenticated ### • ###### An attacker can simply pretend that a subscriber is in his “network” by sending ### • ###### the updateLocation with his Global Title to the subscriber’s HLR ###### Home network ## “ ” X |HLR Saves attacker’s address|Col2|MSC/ VLR up inser|X dateLocation req tSubscriberData req| |---|---|---|---| |Saves attack|er’s address||| ||||| ## X ###### SMSC ###### HLR ## “ ” ###### network ###### Home ###### SS7: Locate Track Manipulate ###### network ###### Some ###### 41 ###### MSC/ VLR ----- ##### HLR: Stealing Subscribers ###### Now, calls and SMS for that subscriber are routed to the attacker ### • ###### Example: Subscriber’s bank sends text with mTAN. Attacker intercepts ### • ###### message and transfers money to his own account ###### Some network ###### Home network ## “ ” X |SMSC HLR sendRoutingInfoForSM req sendRoutingInfoForSM resp mt-forw re|MSC/ VLR ardSM q|X| |---|---|---| ## X ###### SMSC ###### HLR ## “ ” ###### network ###### Home ###### SS7: Locate Track Manipulate ###### network ###### Some ###### 42 ###### MSC/ VLR ----- ##### HLR: Supplementary Services ###### USSD codes can be executed for other subscribers ### • ###### Some carriers offer transfer of prepaid credits via ### ‣ ###### USSD Call forwardings can be set/deleted ### • ###### An attacker could forward a subscriber’s calls to a ### ‣ ###### premium rate number controlled by him and then call the subscriber’s number, billing all the premium rate calls to the subscriber Switch active SIM in case of Multi-SIM ### • ###### SS7: Locate Track Manipulate ###### 43 ----- ##### HLR: Supplementary Services ###### Requests can even be sent without a previous updateLocation procedure, ### • ###### because the HLR does not check if the subscriber is in the network that is sending the request SS7: Locate Track Manipulate ###### 44 ----- ##### Hybrid Attacks: TMSI De-anonymization ###### An attacker can find out the phone numbers of subscribers around him: ### • ###### Paging of subscribers (e.g. to notify them of an incoming call) has to happen ### ‣ ###### unencrypted TMSI (Temporary Mobile Subscriber Identifier) is normally used for paging so ### ‣ ###### that the real identity of the subscriber (IMSI) does not have to be sent over the air unencrypted MSC/ VLR Paging Request contains TMSI SS7: Locate Track Manipulate ###### MSC/ VLR ###### 45 ----- ##### Hybrid Attacks: TMSI De-anonymization ###### Attacker captures TMSI over the air, e.g. with OsmocomBB ### • ###### MSC/ VLR Paging Request contains TMSI SS7: Locate Track Manipulate ###### MSC/ VLR ###### 46 ----- ##### Hybrid Attacks: TMSI De-anonymization ###### The MSC can be asked to hand out the IMSI if the TMSI is known ### • ###### With updateLocation, the attacker can figure out the MSISDN belonging to ### • ###### the IMSI MSC/ VLR Paging Request contains TMSI sendIdentification req sendIdentification resp containing IMSI SS7: Locate Track Manipulate ###### req ###### MSC/ VLR ###### 47 ----- ##### Hybrid Attacks: Intercept Calls ###### The MSC can be also be asked for the session key for of the subscriber! ### • ###### MSC/ VLR sendIdentification req with TMSI sendIdentification resp containing session keys SS7: Locate Track Manipulate ###### 48 ###### MSC/ VLR ----- ##### Hybrid Attacks: Intercept Calls ###### If the attacker captures an encrypted GSM or UMTS call, he can then decrypt ### • ###### it using the session key Passive attack, no IMSI catcher necessary ### • ###### MSC/ VLR sendIdentification req with TMSI sendIdentification resp containing session keys Voicecall SS7: Locate Track Manipulate ###### 49 ----- ##### LTE ###### LTE uses the Diameter protocol in the core network ### • ###### SS7 is becoming a legacy protocol, but: ### • ###### A lot of the SS7 design has been ported to Diameter, including its flaws ### ‣ ###### E.g. there is still no end-to-end authentication for subscribers ### ‣ ###### GSM/UMTS (and with them SS7) will be around for a long time to come ### ‣ ###### (probably around 20 years) To be able to have connections from GSM/UMTS to LTE, there are interfaces ### • ###### mapping most of the SS7 functionality (including its flaws) onto Diameter SS7: Locate Track Manipulate ###### 50 ----- ##### Summary ###### An attacker needs SS7 access and (most of the time) SCCP roaming with his #### • ###### victim’s network Then, with only his victim’s phone number, he can #### • ###### Track his victim’s movements (in some networks with GPS precision) #### ‣ ###### Intercept his victim’s calls, text messages (and probably data connections, not #### ‣ ###### verified) Disable calls, SMS, data #### ‣ ###### Re-route calls, at the victim’s expense #### ‣ ###### With only a TMSI, captured over the air interface, he can #### • ###### decrypt calls captured off the air (GSM, UMTS) #### ‣ ###### find out the IMSI and phone number belonging to the TMSI #### ‣ ###### SS7: Locate Track Manipulate ###### 51 ----- ##### Countermeasures (for operators) ###### Network operators should remove all necessities to hand out a subscriber’s ### • ###### IMSI and current VLR/MSC to other networks With SMS Home Routing, all text messages traverse an SMS router in the ### ‣ ###### subscriber’s home network When the HLR receives sendRoutingInfoForSM request, it only needs to ### ‣ ###### hand out the address of the SMS router instead of the MSC address Instead of the subscriber’s IMSI, only a correlation id will be returned (that ### ‣ ###### can be resolved by the SMS router) All MAP and CAP messages only needed internally in the network should be ### • ###### filtered at the network’s borders If Optimal Routing is not used, sendRoutingInfo (the one for voice calls, ### ‣ ###### another source of MSC and IMSI), can also be filtered SS7: Locate Track Manipulate ###### 52 ----- ##### Countermeasures (for subscribers) ###### Tell your operator to take action ### • ###### Throw away phone ### • ###### (Sorry, there really isn’t that much you can do) ### • ###### SS7: Locate Track Manipulate ###### 53 ----- ##### Thank you! # Questions? ###### Tobias Engel @2b_as SS7: Locate Track Manipulate 54 ----- ##### References ###### Verint Skylock product brochure: http://apps.washingtonpost.com/g/page/business/skylock-product-description-2013/1276/ • Defentek Infiltrator product brochure: http://infiltrator.mobi/infiltrator.pdf • Signalling System #7, ITU-T Q.700 series: http://www.itu.int/rec/T-REC-Q/e • Mobile Application Part (MAP) specification, 3GPP TS 29.002: http://www.3gpp.org/ftp/Specs/archive/29_series/29.002/ • CAMEL Phase 4; Stage 2: 3GPP TS 23.078: http://www.3gpp.org/ftp/Specs/archive/23_series/23.078/ • CAMEL Application Part (CAP) specification, 3GPP TS 29.078: http://www.3gpp.org/ftp/Specs/archive/29_series/29.078/ • Washington Post, For sale: Systems that can secretly track where cellphone users go around the globe: http://wapo.st/ • 1qavLmF Functional stage 2 description of Location Services (LCS), 3GPP TS 23.271: http://www.3gpp.org/ftp/Specs/archive/ • 23_series/23.271/ osmocomBB: http://bb.osmocom.org/trac/ • Evolved Packet System (EPS): MME and SGSN related interfaces based on Diameter protocol, 3GPP TS 29.272: http:// • www.3gpp.org/ftp/Specs/archive/29_series/29.272/ Study into routeing of MT-SMs via the HPLMN, 3GPP TR 23.840: http://www.3gpp.org/ftp/Specs/archive/23_series/23.840/ • Sergey Puzankov and Dmitry Kurbatov, How to Intercept a Conversation Held on the Other Side of the Planet: http:// • www.slideshare.net/phdays/phd4-pres-callinterception119 SS7: Locate Track Manipulate ###### 55 -----