TELCOBREAK
Workshop · DEF CON 34

Key Identifiers

IMSIInt'l Mobile Subscriber Identity
Your permanent SIM identity. 15 digits. Stored in SIM and HLR. An attacker who captures your IMSI can track you and query your profile.
310MCC
260MNC
123456789MSIN
MCC = country · MNC = carrier · MSIN = subscriber
MSISDNMobile Station Int'l Number
Your phone number (E.164 format). Stored in HLR, linked to IMSI. What you dial — not what travels over the air. SS7's SRI message maps MSISDN → IMSI. +1-310-555-0100 → IMSI via HLR lookup
IMEIInt'l Mobile Equipment Identity
Identifies the device (hardware), not the subscriber. 15 digits. Blacklisted by carriers when a phone is reported stolen. Unlike IMSI, swapping SIMs does not change the IMEI.
TMSITemporary Mobile Sub. Identity
A temporary alias for the IMSI, issued by the MSC after first attach. Refreshed on each location update. Protects IMSI on the air interface — but only in 2G/3G once connected. The very first attach still sends the IMSI.
SUPI / SUCI5G Subscription Identifiers
SUPI = 5G's name for the permanent identity (replaces IMSI concept). SUCI = SUPI encrypted with the home network's public key via ECIES. What actually crosses the air — a ciphertext that rotates every attach. An IMSI catcher gets nothing useful.

Network Generations — Security Snapshot

Gen Auth Air Identity Core Proto Key Risk
2G GSM One-way IMSI cleartext MAP/SS7 IMSI catchers trivial
3G UMTS Mutual IMSI 1st attach MAP/SS7 Downgrade → 2G; SS7
4G LTE Mutual IMSI 1st attach Diameter Downgrade; Diameter attacks
5G NR Mutual SUCI (encrypted) HTTP/2+TLS Legacy interop, still evolving
Downgrade reminder: A device that supports 5G can still be forced onto 2G if an attacker suppresses higher-gen signals. Every 2G vulnerability then applies.

Core Protocols

SS7 — Signaling System No. 7
The backbone signaling protocol of the PSTN and 2G/3G cellular world. Carries call routing, SMS, and subscriber management messages (MAP). Designed in the 1970s with zero authentication between carriers — trust is implied by network position. SS7 interconnects are still accessible globally via carrier peering and gray-market SS7 hubs.
MAP — Mobile Application Part
The SS7 protocol layer that carries cellular-specific messages: subscriber location, authentication vectors, SMS routing. The messages below are the key ones you'll encounter in Sections 1 and 2.
Diameter
4G's replacement for SS7/MAP on the core network. Authentication, Authorization & Accounting (AAA). More modern than SS7, but still exposed via carrier interconnects. Key interfaces: S6a (HSS ↔ MME), Gx (PCRF policy), Rx (IMS). Diameter-based attacks mirror SS7 attacks in intent.
5G SBA — Service-Based Architecture
HTTP/2 + TLS + JSON replaces MAP and Diameter in pure-5G deployments. Network functions communicate as REST microservices. Eliminates the decades of implicit trust baked into SS7. However: 5G ↔ 4G/3G interwork gateways (N26, SGs) re-expose legacy protocol attack surface.

Network Architecture — Who Does What

  • UE / MS Your handset + SIM. SIM holds IMSI and secret key Ki. Ki never leaves the SIM — auth math runs inside it. 5G: USIM also stores home network public key for SUCI derivation.
  • BTS / gNB The radio tower. Manages the air interface (Um in 2G, NR-Uu in 5G). No inherent crypto verification from the UE side in 2G — what an IMSI catcher impersonates.
  • BSC / RNC Base Station Controller. Aggregates multiple towers, manages handoff. Backhaul to the core (A-interface in 2G).
  • MSC / VLR Mobile Switching Center + Visitor Location Register. Routes calls, tracks currently-serving MSC. Queries HLR for auth vectors and subscriber info.
  • HLR / AuC Home Location Register + Authentication Center. Master subscriber database: IMSI ↔ MSISDN mapping, Ki storage, auth vector generation (RAND, SRES, Kc). The crown jewel — SS7 attacks against HLR can expose location and profile.
  • 4G: HSS / MME HSS = LTE's HLR equivalent (Diameter). MME = Mobility Management Entity, handles attach/detach. Replaces MSC/VLR in the EPC core.
  • 5G: UDM / AMF UDM = Unified Data Management (5G HLR). AMF = Access and Mobility Function (5G MME). Communicate via SBA over HTTP/2.

Key SS7 MAP Messages

Abbreviation Full Name What it does / attack use
SRI Send Routing Info Queries HLR for IMSI from a phone number (MSISDN). Legitimate use: call routing. Attack use: enumerate real IMSIs from a phone book.
SRI-SM Send Routing Info for SM Same as SRI but for SMS routing. Also returns IMSI. Frequently abused because SMSC access is widespread.
ATI Any Time Interrogation Queries HLR for subscriber location, IMEI, subscriber state. One of the most powerful SS7 location messages — requires no prior signaling interaction with the device.
PSI Provide Subscriber Info Sent to MSC/SGSN for real-time location (serving cell, Cell-ID). More precise than ATI; used in emergency location services — and in SS7 attacks.
UL / ISD Update Location / Insert Subscriber Data Normally used for roaming. Attackers forge UL to divert calls to an attacker-controlled VLR, enabling interception.
SAI / GAI Send / Get Authentication Info Retrieves authentication vectors from HLR/AuC. If an attacker can send SAI, they get RAND/SRES/Kc and can impersonate the network or decrypt calls.

Attack Quick Reference

IMSI Catcher
aka Stingray, fake BTS
Set up a rogue 2G base station broadcasting the real MCC/MNC. Devices with no 4G/5G option attach automatically and send their IMSI in cleartext before any authentication. The catcher harvests IMSIs passively — no interaction needed.
3G/4G mutual auth + SUCI in 5G. Downgrade prevention (3GPP TS 33.501).
Downgrade Attack
force 5G → 4G → 2G
Jam or suppress 4G/5G signals, or broadcast a rogue cell with very high power, forcing a capable device onto 2G. All 2G weaknesses then apply: IMSI catchers, broken encryption, no mutual auth.
Network-side rejection of 2G attach for certain subscribers; SIM-based min-gen policy.
SS7 Location Tracking
ATI / PSI query
From an SS7 interconnect, send ATI or PSI to the target's HLR/MSC with just their MSISDN or IMSI. Response includes serving cell and Cell-ID, which maps to a geographic location within ~100m–5km depending on cell density.
SS7 firewall: block ATI/PSI from non-home originators. Diameter firewall equivalent: block PUR/CLR from untrusted peers.
Call / SMS Interception
UL + SAI chain
Chain an Update Location message to divert calls to an attacker VLR, then use Send Auth Info to obtain session keys. Decrypt 2G traffic with harvested Kc. For SMS: inject a fake SRI-SM to reroute messages to an attacker SMSC.
SS7 firewall, UL source validation, operator-to-operator agreements, 4G/5G for voice (VoLTE / VoNR).

Lab CLI — Command Reference

attach --net 2g
Trigger a 2G GSM attach. On first attach, the MS sends IMSI in cleartext. If a rogue BTS is online, it intercepts instead.
attach --net 5g
Trigger a 5G NR registration. Identity crosses the air as SUCI (encrypted). Mutual auth (5G-AKA) follows — AUTN verified both ways.
sniff air
Arm the passive sniffer on the air interface (Um / NR-Uu). Run before attach to capture the next transmitted identity.
decode last
Expand and decode the most recently captured frame. Shows field-by-field breakdown — IMSI, SUCI, AUTN, etc.
auth show
Display the authentication exchange for the current attach. Shows whether auth is one-way (2G) or mutual (5G) and what each side proves.
cell rogue --mcc 310 --mnc 260 --power high
Bring a rogue BTS online broadcasting the real network's MCC/MNC at high power. All nearby 2G devices will prefer it over the legitimate tower.
cell rogue --suppress lte
Suppress LTE/5G signals to force downgrade to 2G. Teaching abstraction — real-world bidding-down is more gradual. Shows the downgrade effect instantly.
submit <value>
Submit a captured value as a flag. Use the value from decode last — e.g. submit 310260123456789. Hint system guides you if wrong.
sri --msisdn +13105550100
Section 1: SS7 SendRoutingInfo — look up the IMSI associated with a phone number. Simulates an SS7 query to HLR.
ati --imsi 310260123456789
Section 2: SS7 AnyTimeInterrogation — query subscriber location and state. Returns serving cell, Cell-ID, IMEI.
profile --imsi 310260123456789
Section 2: Pull full subscriber profile from HLR — service subscriptions, barring flags, call forwarding, roaming status.
stage 1 · stage 2 · stage 3 · clear · reset
Navigation: jump directly to a stage, clear the console output, or reset current stage state. Also: type help in any scenario for the full command list.