Signalling System 7 (SS7) is still full of holes – what are operators doing about it asks Kate O’Flaherty?
SS7 is still full of security holes, despite attempts to police the age-old signalling protocol. In 2017, hackers exploited SS7 as part of a two-stage attack designed to drain money from online bank accounts in Germany, using a combination of phishing and call-forwarding. It’s also possible to use SS7 to divert and eavesdrop on calls.
The SS7 protocol is crucial for the exchange of information needed for incoming and outgoing voice calls and SMS communications. Yet attackers can exploit security vulnerabilities in the protocol to enable bigger and increasingly targeted attacks. Controversial surveillance company NSO Group allegedly offered “bags of cash” for access to the world’s mobile networks, according to confidential disclosures to the US Justice Department reviewed by The Washington Post.
The SS7 network is targeted to achieve aims including tracking, information gathering, communications interception and fraud. Attackers come in the form of surveillance companies, nation state adversaries and organised crime groups.
Some of these attacks ware very hard to thwart. Access to the SS7 network will always be sought by spyware vendors, says Cathal Mc Daid, CTO of AdaptiveMobile Security. “Mobile operators must proceed on the assumptions that hostile actors, including surveillance companies, already have access to the SS7 and diameter 4G networks, and will have access to HTTPS 5G networks in the future.”
It’s a major concern, but moves are being made all the time to protect networks from damaging SS7 based attacks. Take the example of Ukrainian operators Kyivstar, Vodafone and Lifecell, which have blocked access to their networks for subscribers in Russia and Belarus in a major SS7 security move.
Mobile operators already use measures such as firewalls to protect SS7, so what else needs to be done?
Designed without security
SS7 is the oldest worldwide signalling system. The protocol was designed by AT&T in 1975 and ratified for international use in 1988. It was last updated in 1993, long before VoIP was conceived.
The primary problem with SS7 is that it was designed with “absolute trust of all parties at its core”, says Chester Wisniewski, Principal Research Scientist at Sophos. “Because of this, anyone that has access to provide phone services can redirect, spy and control any phone number in the world.”
He concedes that this is “not as simple as it sounds”, but adds: “The inherent vulnerabilities are built-in out of the trust-by-default security model. It is possible for a carrier to ensure their own networks are less likely to be abused, but that doesn’t prevent any other SS7 network operator from abusing the flaws either intentionally or by not adequately securing their own access.”
As mobile operators have added more functions and services over the years, signalling networks have had to carry increasing amounts of sensitive and confidential data, such as location, SMS texts, and billing data. This is available via roaming interconnectors, and bad actors are keen to gain access, says Sergey Puzankov, Head of Service Delivery at telecom security-focused start-up SecurityGen. “Once an intruder gains access to a signalling network, they can potentially attack any subscriber of any mobile operator in the world.”
Attackers can gain access to an SS7 network and exploit its vulnerabilities via a semi-legal connection, such as by impersonating a genuine service company. It’s also possible to break in via an insider, bribes for the connection, or by hacking another network that connects to the target SS7 network, Puzankov says. He says SecurityGen has carried out numerous security monitoring projects that revealed SS7 requests originating from a fixed-line network connecting to and accessing a mobile network.
Threat actors
Threat actors can launch remote SS7 attacks from any location across the world to infiltrate messages received from interconnected links from other networks without any explicit agreement to do so, says Kev Eley, Vice President Sales, Europe, at LogRhythm. This can lead to a number of damaging attacks on mobile operators and their customers including Denial of Service attacks, fraud instances and data leakage of confidential subscriber information such as location, text messages, and conversations, he says.
AdaptiveMobile Security revealed the activities of a sophisticated, Russian-origin connected signalling threat platform it calls HiddenArt. “HiddenArt is unique because it tries to make its source SS7 addresses as similar as possible to real, non-malicious SCCP Global Title unique addresses used by legitimate mobile network nodes. It does this to hide its true origin,” says Mc Daid.
The firm has detected a series of advanced attacks by HiddenArt against specific, targeted mobile phone subscribers over SS7, including location tracking, information harvesting and telephone and SMS interception.
Network security moves
Mobile operators are addressing the SS7 issue, but more needs to be done. Going forward, 5G will add complexity that could create further issues. “As we start to see deployments of 5G networks, we need to be mindful that many operators will build 5G on top of other technologies,” Mc Daid points out. “So you need to correlate security activity across all protocols and ingress points, old and new.”
A good foundation is important: Conventional IT network security processes can also be applied to SS7 networks, says Puzankov. This includes firewalls to block malicious traffic; monitoring systems to detect intruders and malicious attacks; and penetration testing to identify vulnerabilities.
But is this level of protection effective? “All networks are vulnerable in some way, shape or form,” says Puzankov. “No single solution or system can completely address all the problems and vulnerabilities associated with specific features of the SS7 network architecture.”
He says the answer is an integrated approach in which network security is an “ongoingcontinuous process” that encompasses “regular and frequent security assessments, plus ongoing monitoring to detect attacks and intruders”.
For users, two factor authentication is key to protecting against attacks taking advantage of weaknesses in SS7. Despite SMS codes being intercepted in the past, Wisniewski strongly recommends the use of multifactor authentication, including SMS, over passwords alone. “But SMS-based multifactor should be avoided for critical applications and security keys or authenticator apps should be used when available.”