C Subscriber Traffic Interception

Following are the types of attacks in a subscriber traffic interception:

• Call redirection with interception
• SM interception/monitoring

The message UpdateLocation is used to inform the HLR about a change in a mobile switch. Terminating SMSs or calls are intercepted by sending a fake request to register a subscriber in an intruder's network. When a terminating call is received, the operator's network sends a request to a fake network to obtain the subscriber's roaming number. An attacker can send the number of their telephone exchange in response, and the incoming traffic will be transmitted to the attacker's equipment. After sending another request to register the subscriber in the real network, the attacker can redirect the call to the subscriber's number. As a result, the conversation will pass through the equipment controlled by the attacker.

The same principle is used for the interception of terminating calls via RegisterSS. However, in such a case, terminating calls are unconditionally redirected to the intruder's telephone exchange.

Originating calls are tapped by using a similar pattern. The InsertSubscriberData message replaces the address of the billing platform in the subscriber's profile stored in the VLR database. When a request is sent to the changed address, the attacker first redirects the originating call to their equipment and then redirects it to the called subscriber. Therefore, the attacker can tap any conversation of the subscriber.