SS7 Vulnerabilities

(If you don’t know what SS7 is, you may want to start here.)

Although SS7 networks have been vulnerable since inception, the risk of SS7 based attacks on mobile networks have been gaining a lot of attention in the public media, both in the United States and overseas. The GSM Association’s (GSMA) Fraud and Security Group has recently categorized SS7 vulnerabilities in a comprehensive document named FS.11. Mobile operators can obtain this document from the GSMA’s Fraud and Security Group through their GSMA delegates.

Are these threats to be taken seriously by mobile operators? Let’s review what a malicious attacker can do in a majority of mobile networks worldwide:

Types of SS7 attacks caused by vulnerabilities in mobile networks

  • Denial of service attack: a malicious attacker can bring down mobile services for a specific subscriber, a group of subscribers, random subscribers, or in some cases, for the entire network! (GSMA Category 2 and 3 vulnerabilities)
  • Geolocation: a malicious attacker can locate the cellphone of a subscriber, knowing only their phone number, with an accuracy of a few meters. (GSMA Category 1 and 2 vulnerabilities)
  • Call interception: a malicious attacker can intercept and record calls from a subscriber, without the subscriber or operator’s knowledge. (GSMA Category 2 vulnerability)
  • Toll fraud: a malicious attacker can purchase retail subscriptions from an operator, and make outbound toll calls without being charged for these calls. This can cause a significant loss to the operator within a short amount of time, when premium numbers are being targeted. (GSMA Category 2)
  • Wholesale SMS fraud: a malicious attacker can use a mobile operator’s network to terminate or relay large amounts of wholesale SMS messages. This practice can go on for years undetected. Good intentioned operators have deployed SMS firewalls, but some of the first generation firewalls can be bypassed by malicious attackers. (GSMA Category 3)

Additional abuses emerge continuously, imagined by more and more creative attackers, using techniques such as spoofing or fuzzing.

How is this possible? you might ask

The SS7 network was created decades ago, when the only parties connected to it were government owned telecom companies. Lay people did not know about its existence, its use or how it could be exploited. Nor could they get a connection into the SS7 network, even if they wanted to. So there was never any protection or authentication built into the protocol, because it was simple not needed, or so they though.

Roll forward several decades, and a typical mobile operator network “talks” to hundreds of other networks in dozens of countries, to facilitate international roaming, still without any protection or authentication.

12723623-drawing-social-network-world-map

What has changed in the last decade, is that each of the mobile operators that your SS7 network is connected to, in turn is connected to dozens of third parties, that are unregulated and unsupervised: MVNOs, SMS aggregators, number portability services, OTT players etc. In certain networks, there could be as many as a hundred third parties involved, all of which have access to SS7, making it impossible to police or supervise what types of messages are being sent to where. To clarify this: you are an operator in country A “open” for roaming purposes with country B. Country B could have a service provider connected to its network, that in turn does business with someone in country C, a country prolific with malicious attackers. You can now get attacked by someone in country C, but without proper detection and protection in place, you would never know it, which leaves your subscribers exposed!

What is the solution?

We believe that there are only 3 solutions:

  • Maybe you get lucky and your SCCP carrier launches a cloud-based SS7 firewall solution, that you can simply enable for an additional service fee. This is probably one of your least cost solutions, but remember that if your network services MVNOs that send you SS7 traffic over direct links, without going through your international SCCP carrier, you will be exposed to vulnerabilities coming over that route.
  • You protect your network by installing an on-premise SS7 firewall that filters 100% of your SS7 traffic (to include domestic traffic, an often forgotten component), and hope that the SS7 firewall vendor keeps up to date on how to protect against the latest attacks. More on this approach, which can vary greatly in cost and complexity can be found here.
  • You hire an external company to perform a SS7 network audit or SS7 penetration test to determine which or your mobile nodes are vulnerable to which attacks, and then work with your node vendors to eliminate vulnerabilities. We will be happy to assist you with that process as well. After all vulnerabilities have been eliminated, we rescan your network to confirm that no vulnerabilities remain, and perform periodic scans to ensure that no new vulnerabilities appear when new software releases are being installed on your nodes.

After installing an on-premises SS7 firewall or activating a cloud-based SS7 firewall solution, how will you know if you are protected against 100% of the vulnerabilities, considering that new ones appear all the time? The very best approach in our opinion is to install a third party on-premise firewall or use a cloud-based firewall provided by your SCCP carrier, and in addition, perform external SS7 penetration tests and telecom network security audits to ensure that your firewall stays on top of current vulnerabilities over time.

At this stage, some operators opt for our SS7 Cloud Scanner which allows their properly trained staff to generate ad-hoc SS7 messages from the external plane in order to test any new STP or firewall rules on their own. This can be particularly useful during the time when remediation work is conducted.