The SS7 Security Threat is Real. How Can MNOs Respond?

Written by

It was only a matter of time, but the shortcomings of SS7 have become an issue impossible to ignore. The 40 year old telephone network signalling protocol has hit global headlines twice over the last few months: firstly following a number of vulnerabilities being highlighted on the US current affairs broadcast, 60 Minutes, and more recently when it emerged that one particular exploit could be used to intercept encrypted WhatsApp messages. 

While knowledge of vulnerabilities to the SS7 system will not be news to the telecoms industry, this increased level of exposure will likely increase the pressure on operators to take action and make their networks less vulnerable to attacks. But SS7 has been a wildly successful protocol, and is used by the vast majority of global operators across multiple generations of telecoms architecture. More modern and secure signalling systems do exist, such as LTE and Diameter, but the ubiquity of SS7 will mean that it will be a long time before it becomes obsolete.

Plugging in

The current landscape of multiple fixed line operators, MNOs and MVNOs in each geography means that it has become an almost impossible task to ensure that the SS7 system is accessed only by those who are authorised to do so. All a hacker needs is a single feed into a network to get access to virtually the entire global telephony system, making a large variety of attacks possible from anywhere in the world. With almost five billion mobile subscribers globally, that is a lot of people to be potentially at risk.

But how can a hacker get access to a feed? There are many reports of unethical firms offering access to the SS7 system on black market. It’s likely that much of this access is being facilitated by operators in some of world’s less rigorously regulated markets. All that is needed is a provider with a connection to an SS7 hub, and with access being sold on to third parties by the day or even hour, it has the potential to be a lucrative business for some. Some telecoms network equipment, such as personal, short-range base stations known as femtocells, have access to both SS7 and IP networks, creating other possible vulnerabilities and remote SS7 hacks via the internet have been documented.

The exploits that were highlighted in the 60 Minutes documentary and reports on the WhatsApp hack were related to the Mobile Application Part (MAP) and CAMEL Application Part (CAP), signalling layers on top of SS7 used to deliver additional services related to mobile services and Intelligent Networks. Identifying users’ location as well as intercepting and hijacking traffic were originally discovered and demonstrated by researchers Tobias Engel and Karsten Nohl in 2014.

These were in addition to a number of other known SS7 exploits that allowed details of call and message traffic to be spoofed or faked for fraud purposes. The Fraud and Security Group (FASG) within GSMA, the mobile industry body, publishes and maintains a number of documents outlining the complete range of SS7 vulnerabilities relating to SMS traffic and mobile telephony in general.

Those responsible for using these exploits can be broadly broken down into two groups. The SMS-based exploits, including Flooding, Spoofing and GT Faking, have become popular with fraudsters and scammers as well as messaging service providers looking to take advantage of the vulnerabilities for monetary gain. SMS phishing scams which are made to appear to come from legitimate businesses, including banks, in order to steal personal data are growing in popularity and becoming more targeted in nature.

A2P messaging, often used for marketing and other SMS-based alerts, has become a multi-billion dollar business. By using these exploits, unscrupulous messaging service providers can spoof the sender ID or fake a message’s origin to avoid paying the termination fees. In some cases, this can lead to incorrect billing to consumers or other operators, putting legitimate MNOs’ reputations at risk. Flooding, similar to DDoS attacks on IP networks, can have a direct impact on quality of service.

National intelligence and law enforcement agencies are those that are currently most likely to use the CAMEL related exploits for surveillance purposes. Edward Snowden’s revelations showed that the NSA has long targeted mobile phone networks, but reports have also emerged of third-party providers offering SS7 surveillance services to agencies in other countries that may not necessarily have access to the same level of sophisticated technology.

While it could be argued that such surveillance techniques are a necessary consequence of the current international security climate, the increasing number of firms offering these services suggests it is only a matter of time before fraudsters and criminals are in a position to take advantage. Location tracking has potentially serious implications for personal safety, while intercepting call and message traffic would be of benefit to those engaged in identity theft.

Fighting back

But mobile networks are not powerless to stop the effects of SS7 vulnerabilities. Increasing the validation required of SS7-based processes and deploying a mobile network firewall to block illegitimate SS7 packets from coming into the network can have an immediate impact on cutting down fraudulent activity. More sophisticated firewalls now allow for suspect traffic to be quarantined and inspected in greater detail to determine its legitimacy. 

Filtering at the Mobile Application Part (MAP) level, can effectively block the commands used in some of the more sophisticated attacks. Despite the effectiveness of firewalls, take up by international operators has not been universal and many large MNOs do not have adequate protection in place to face these newer threats. The wider industry is aware of these issues, and organisations such as the GSMA and the Communications Fraud Control Association do good work in facilitating knowledge-sharing and highlighting best practice.

Further security measures are currently being developed, but as with all systems, the most dangerous vulnerability is the one that is not yet known. While the more secure LTE protocol will eventually replace SS7, a patchwork approach is the best bet for securing the global telecoms ecosystem in the short to medium term. But it remains to be seen if all operators will take a similar approach to try and stay in control of their networks.

What’s hot on Infosecurity Magazine?