Malicious SS7 traffic audit

If your mobile network is not protected from SS7 signaling attacks and leaks, it is very likely that malicious SS7 traffic is running through your STPs in both directions. Besides SS7 attacks coming from outside bad actors, we have also discovered rogue mobile nodes from various vendors that generate malicious SS7 traffic targeting outside mobile networks. And of course, if strict policies are not in place, it is always possible that an insider has misappropriated a GT that is being used for things such as SMS messaging and causing large revenue leaks.

A malicious SS7 traffic audit in a mobile network consists in 2 phases:

Phase 1: traffic capture

All international SS7 traffic is captured passively, for example on a span port of your STP. This process can be performed by your own engineering team or our analyst onsite. Ideally the traffic should be captured for at least 24 to 48 hours, more if possible.

Phase 2: traffic analysis

Using our proprietary analysis software, your traffic is filtered, and the results analyzed by our analyst onsite. At the end of the engagement, a report is provided covering the following areas:

  • Nature of external SS7 attacks, targets and identities of attackers
  • Rogue network nodes that originate malicious SS7 traffic targeting other networks
  • GT audit and list of possible misappropriated GT

For security and confidentiality reasons, SS7 traffic audits are performed onsite. Traffic captures do not leave the mobile operator’s premises at the end of the audit and are not shared with anyone.

To discuss an SS7 traffic audit for your network, please contact us.