In a recent blog post, we explained how it wasn’t sufficient to block SS7 attacks that allow attackers to obtain a subscriber’s IMSI (GSMA Category 1 vulnerabilities) in order to keep a network secure from further SS7 attacks. This is because many other ways exist to obtain a subscriber’s IMSI besides obtaining it via SS7.
Today we illustrate this idea by showing one more way attackers are obtaining subscribers’ IMSIs to potentially conduct subsequent Category 2 and 3 SS7 based attacks. The following video posted by hackers on Youtube, shows how an IT vulnerability in T-Mobile USA’s Internet facing infrastructure allowed attackers to harvest IMSIs for any T-Mobile USA subscriber. While the vulnerability has since been remediated by T-Mobile, it reinforces the idea that security by obscurity is not viable when it comes to defending against SS7 Category 2 and 3 vulnerabilities. And also that a mobile operator can never do enough FQDN penetration tests, ie penetration tests on its IT infrastructure.