HLR Lookup Attack Vectors
"Analyzing the exploitation of Home Location Register queries for subscriber tracking and metadata extraction."
HLR Lookup Attack Vectors in SS7
The Home Location Register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network.
The Role of SRI (Send Routing Info)
Attackers often use the SendRoutingInfoForSM MAP (Mobile Application Part) message to query the HLR. This message is intended to facilitate SMS delivery but can be abused.
Metadata Extraction
A successful SRI query can return:
- IMSI: The unique ID of the subscriber.
- MSC Address: The current Mobile Switching Center the subscriber is connected to.
- VLR Address: The Visitor Location Register details.
Exploitation Scenarios
1. Precise Location Tracking
By knowing the MSC/VLR address, an attacker can pinpoint a subscriber's location down to a specific city or even a neighborhood.
2. Denial of Service (DoS)
Flooding the HLR with malicious queries can degrade service for legitimate subscribers or even cause a complete network outage in a specific region.
sequenceDiagram
participant Attacker
participant STP as Signaling Transfer Point
participant HLR as Home Location Register
Attacker->>STP: SRI_SM (MSISDN)
STP->>HLR: Forward SRI_SM
HLR-->>STP: ACK (IMSI, MSC_Address)
STP-->>Attacker: Subscriber MetaData
!CAUTION SS7 vulnerabilities are protocol-level flaws. Even modern 4G/5G networks often fall back to SS7 for international roaming, maintaining this attack surface.
Defensive Strategies
- Signaling Firewalls: Implement firewalls that can inspect MAP messages and block suspicious SRI patterns.
- IMSI Randomization: Use temporary identifiers (TMSI) to mask the permanent IMSI.
- Home Routing: Ensure that signaling messages are always routed through the home network for validation.