First reported for-profit SS7 attacks

Security experts agree that malicous attacks are more likely to be perpetrated when a potential financial gain exists for the attackers. This is why our remote SS7 vulnerability assessments and SS7 vulnerability trainings make a point to show operators the gain that attackers can derive from each attack vectors, including the possibility to steal SMS-based tokens (also called TANs) used by banks in certain countries to provide two factor authentication to execute wire transfers.
Sueddeutsche Zeitung has just reported a series of sucessful attacks that took place earlier this year and resulted in multiple fraudulent wire transfers from bank accounts of German consumers.
More on this story, including comments from The Telecom Defense Company’s Principal Consultant Jean Gottschalk, can be found in an article published today by Security Week.

FCC releases long awaited CSRIC WG10 report on SS7 vulnerabilities

The report on vulnerabilities and risks inherent to the Signaling System #7 (SS7), which was ordered by the FCC from a specially formed group (CSRIC Working Group 10) thanks to the efforts, amongst other, of Congressman Ted Lieu, has finally been released.
A copy of the report can be downloaded here.

The working group aknowledges the vulnerabilities that are long known to exist in the SS7 network, and urges operators to follow the recommendations of the GSMA on adressing them. GSMA’s recommendations include among others the performing of regular external vulnerability assessments, as well as the implementation of specialized SS7 firewalls.
The working group also aknowledges that attacks on the SS7 network have taken place, and advocates end-to-end encryption as a potential permanent solution for subscribers, although the intelligence community typically sees strong encryption as a double edged sword.

Finally, the report points to Diameter signaling, which is intended to one day fully replace SS7, as an area of potential future concern, as well as potential vulnerabilities in ANSI-41 signaling and SIP signaling.

The Telecom Defense Company’s remote SS7 and Diameter vulnerability assessments can help operators identify and quantify the actual vulnerabilities that exist in their networks.

World-First SS7 Intelligence Report

While 2016 has seen a lot of attention from telecom regulators on the subject of SS7-based vulnerabilities, and some mobile operators have begun securing their networks, the vast majority of worldwide mobile networks remain vulnerable to SS7-based attacks against their subscribers. Using the SS7 network, an attacker can accurately geo-locate mobile phone, intercept text messages, record phone conversations and much more on unprotected mobile networks.

The Telecom Defense Limited Company’s SS7 intelligence report, updated monthly and sold via annual subscription, provides a mobile operator or regulator with valuable information regarding the identity of currently active attackers on the SS7 network, new attackers, volumes of attacks and trends, origins, types and signatures of attacks.

The reports are produced using anonymized SS7 metadata provided by various partner mobile operators around the world, which creates a representative and realistic picture of the worldwide threat landscape and its trends month after month.

The monthly report contains:

  • Current list of GTs originating malicious SS7 traffic
  • Correlation between attacking GTs and patterns
  • Types of attacks per GT
  • Activity patterns
  • OSINT information on the originating networks to help determine possible attribution
  • Volume of activity and trends

A similar report for the Diameter-based threat landscape is currently under development, and will be made available to customers in the near future.

Forward Defense and The Telecom Defense Limited Company sign regional strategic partnership

2016 has seen a lot of media attention towards SS7-based vulnerabilities that exist in worldwide mobile networks. These vulnerabilities allow attackers, including bad actors and foreign intelligence agencies, to accurately geo-locate nearly any mobile phone, intercept text messages, record phone conversations and much more.
Pushed by regulators and public attention, mobile network operators in several world regions are finally addressing these issues and securing their networks. GCC regulators are no exception and increasingly mandate that mobile network operators in the region quickly re-mediate these vulnerabilities.

The strategic partnership between the two companies now makes cutting edge resources, knowledge and methods to discover and re-mediate SS7 vulnerabilities available in the region directly through local GCC representation for the first time. Through the partnership, Forward Defense is adding the following to its already extensive offering in terms of IT security, training and penetration testing:
– Remote SS7 vulnerability assessments, conducted through the public roaming SS7 interface, to replicate most accurately the attack surface available to a third party attacker.
– Deep technical trainings on SS7 vulnerabilities and how to re-mediate them, both for mobile operators’ technical teams and local regulators. Lead consultants and security researchers from The Telecom Defense Limited Company are typically mobilized locally to deliver these very interactive training sessions.
– Assistance with RFPs and procurement of SS7 Firewall solutions to re-mediate vulnerabilities. Firewall vendors include those certified by The Telecom Defense Limited Company’s recently launched SS7 firewall certification process.

“The speed and low cost at which remote SS7 vulnerability assessments can be conducted using The Telecom Defense Limited Company’s methodology gives our customers a clear advantage when trying to re-mediate SS7 vulnerabilities in an expedient manner.” said David Michaux, Director at Forward Defense.

“We are delighted to be able to provide our expertise locally to operators in the GCC region through this strategic partnership, and of the positive feedback given by customers in our first joint engagements.“ said Jean Gottschalk, Principal Consultant and founder of The Telecom Defense Limited Company.

GCC mobile operators and regulators should contact Forward Defense to discuss any SS7 vulnerability re-mediation or training projects.

http://www.prweb.com/releases/2017/01/prweb14014988.htm

World’s first independent certification for SS7 firewalls

2016 has seen a lot of media attention towards SS7-based vulnerabilities that exist in worldwide mobile networks. These vulnerabilities allow attackers, including bad actors and foreign intelligence agencies, to accurately geo-locate nearly any mobile phone, intercept text messages, record phone conversations and much more.
Pushed by regulators and public attention, most mobile network operators around the world are now aware of this issue, and looking at ways to re-mediate the vulnerabilities and secure their networks. This often requires the deployment of specialized SS7 firewall appliances, to thwart the more complex attacks classified by GSMA (the GSM Association of mobile network operators) as Category 2 and Category 3 vulnerabilities.

But how can a mobile network operator ensure that the SS7 firewall appliance it chooses to deploy will effectively protect against all known SS7 vulnerabilities, now and in the future? Short of thoroughly testing the various appliances during an RFP process, which requires specialized equipment and know-how, this is a difficult task … until now!
The Telecom Defense Limited Company’s world first SS7 firewall certification is the solution to effectively screen vendors of SS7 firewall appliances.
To receive the certification, firewall vendors undergo a real life remote SS7 vulnerability test, which probes for vulnerabilities from all 3 GSMA vulnerability categories over the international roaming SS7 connection in a live mobile network protected by the appliance, replicating the conditions under which a real attacker would operate.
The certification is awarded to SS7 firewall appliances that successfully protect against well known vulnerabilities from all three GSMA-defined vulnerability categories, including when advanced obfuscation techniques such as SCCP spoofing are used.

The first certified SS7 firewall appliance is that of jtendo, a polish vendor of value added mobile network nodes. Other firewall appliance vendors are undergoing certification at the moment, and will be announced in the near future on the company’s website at http://www.telecomdefense.com.

“We are very proud to be the first SS7 firewall appliance to receive the Telecom Defense SS7 firewall certification”, said Piotr Szymanski, Director of jtendo. “The certificate confirms that our firewall product meets or exceeds all GSMA Fraud and Security Group guidelines as described in FS.11”.

“Certifications exist for many IT products, but for SS7 firewall appliances, which often require large capital investments on the part of mobile operators, there was no way to know if a product will successfully thwart off attackers until after it was deployed.”, said Jean Gottschalk, Principal Consultant and Founder of The Telecom Defense Limited Company. “The Telecom Defense SS7 firewall certification comes in response to our customers’ need to streamline their RFP process when selecting an SS7 firewall appliance.”

SS7 firewall vendors interested in applying for the certification should contact The Telecom Defense Limited Company, to have their product tested in a live deployment.

http://www.prweb.com/releases/2016/12/prweb13888246.htm

Why a mobile network needs to be retested for SS7 vulnerabilities after installing an SS7 firewall

The Telecom Defense Limited Company recently completed a SS7 vulnerability assessment for a mobile operator in Europe who had just deployed an SS7 firewall. The operator wanted to ensure, through an independent third party test, that the firewall is doing its job and that no vulnerabilities were left unprotected.

While we found that the firewall was remarkably good at protecting most of the vulnerabilities that are within the scope of our remote SS7 penetration test (things such as leaking of IMSIs, leaking of subscriber location, call intercept, denial of service attack surfaces etc), we were able to discover a handful of vulnerabilities, with low to high severity, that were left unprotected.
Our detailed report allowed the operator to go back to their firewall vendor and address the remaining vulnerabilities to ensure a 100% secure network.

This engagement illustrates why it is important for operators to not only perform initial SS7 vulnerability assessments on their networks, but also retest the network after vulnerabilities are deemed re-mediated, as well as re-test on a periodic basis (at least annually), in order to ensure that no new vulnerabilities have appeared after applying patches or upgrades to existing network nodes or to the firewall itself.

The Telecom Defense Limited Company can guide an operator through the remediation process from start to finish, including assistance with the RFP process for an on-premises SS7 firewall, to ensure that the selected firewall vendor effectively protects against all known vulnerabilities. Considering that the deployment of a network-wide SS7 firewall can be a multi-million dollar project, it’s a wise investment to have an independent third party ensure that the selected firewall is serving its purpose, before a purchase order is issued.

Can an entire mobile network be taken down via SS7?

Recently I was asked if it was really possible to take an entire mobile network down simply by sending a few clever SS7 messages to it, and whether there was any documented occurrence of such an event.

Long network wide “outages” do happen from time to time, for example in France in summer 2012, or in Australia and United Kingdom in summer 2014. These outages are usually explained by software glitches or physical issues, and sometimes not at all.

One network wide outage that was clearly due to an SS7 vulnerability recently, was a network wide outage of over 3 hours on the Telenor network in Norway in February 2016 (reported in the Norwegian news). The outage was caused by an SS7 security company that was conducting remote vulnerability assessments without the permission or knowledge of the assessed network Telenor, and sent the Ericsson HLR into a loop because it didn’t support a very rare SS7 message (I have a pretty good idea of which one!) that the security company sent to it over the public SS7 network.

While there clearly wasn’t a malicious intent behind this particular unintentional outage, we can see however that it was possible for a well informed individual to remotely take down a network in another country all over the public SS7 network, ie without any physical access to the target network.

Ericsson has since then patched the vulnerability on the affected Telenor HLR, however you may wonder how many other Ericsson HLRs are out there with the same vulnerability, that haven’t been patched yet, and how many other undiscovered vulnerabilities exist in thousands of Ericsson and other vendor’s mobile nodes that are deployed worldwide and connected to the public SS7 network.

Listening to a Congressman’s calls. Is it real?

A recent episode of the American show 60 Minutes showed German hackers listening to calls of a US Congressman, from the other side of the world, using a vulnerability found in SS7.

60 Minutes: Hacking into a Congressman’s phone.

Are you wondering if this type of attack would be possible in your network?

Chances are, yes it would be. In other words, if you haven’t done anything to specifically prevent this type of attack, then your network is probably vulnerable to this and other attacks. If you would like to know for sure, The Telecom Defense Company can conduct a SS7 penetration test on your network and confirm whether your network is vulnerable to this and other types of attacks. And of course, we will help you to secure your network and prevent these attacks in the future.