3 min read

Signalling threats: SS7 and beyond – part one

Fraud and security
Signalling Threats- SS7 and Beyond – Part One (2)

Based on our recent white paper, Signalling Threats; SS7 and Beyond, in this short series of 3 blogs we aim to summarise the issues raised in the white paper, how they are affecting the industry and what can be done to limit the extent of attacks. Mobile networks are exposed; under attack, insecure or even broken. We hear it in the media, through reports and at industry conferences. But, really, how bad is it? Are network attacks an unstoppable epidemic or something we can limit or even prevent? What is currently being done to remove vulnerabilities individually and within the Operator community, and is this enough?

The Current Situation

It has been widely acknowledged that a number of vulnerabilities in signalling networks are being exploited on a global scale, attacking both operators and individual subscribers. The weaknesses exposed open the door to sophisticated fraud, hijacking of subscriber communications as well as service disruption. Subscribers may be tracked and located down to street level, calls and messages intercepted, profiles tampered with to allow free of charge services, and in the worst case, services made completely unavailable through denial of service attacks. If the networks are left without adequate protection, operators may jeopardise their reputation and trust from the subscriber base and their enterprise customers. Historically, Mobile Network Operators (MNOs) have for a variety of reasons, been reluctant to report on successful signalling based attacks. The current trend however is towards a greater openness and information sharing between MNOs, with some reports even reaching mainstream media. One such report came from O2 Germany in mid-2017, when it was confirmed that hackers had used weaknesses in SS7 signalling as one of the steps in defrauding German banking customers. In light of the increasing number of reports of hacker influence on elections, elaborate fraud, distribution of malware and coordinated IoT devices in massive DDoS attacks; security is becoming a high priority across all industries, sectors and institutions.

Signalling Based Threats

Over the last ten years, a number of new potential risks and attacks over signalling links have been discovered and revealed, most notably by P1 Security and Philippe Langlois. But it was not until Karsten Nohl’s and Tobias Engels presentations at the Chaos Communication Congress (CCC) in 2014 that the media began paying attention to the issues, making signalling a hot topic for both MNOs and the industry as a whole. Signalling networks were designed for a small, trusted set of large and often state-run telecom operators. They had none of the standard security mechanisms that we have come to expect of modern networks. These days, however, we find that an increasing number of parties have access to the global signalling network. With the advent of MVNOs, specialised micro operators for A2P, IoT, M2M and other services, the number of potential entry points for an attacker are increasing dramatically. The mechanics of signalling protocols are currently not presenting much of a barrier to attacks. There is no encryption inside the core network and no end-to-end authentication. Signalling based attacks rely heavily on the implicit trust built into the global signalling network, and the fact that signalling traffic was never expected to need filtering. Consequently, unauthorised nodes can often query any network, request subscriber information and update subscriber profiles, even if the originating node itself has no relationship to the target network. So, who is being affected by the threats to the network, and what are the consequences?

The Subscriber

A smartphone user could be targeted in a number of ways through the technologies offered by their device. As a target, the subscriber could be subjected to financial fraud, identity theft, their device may be incorporated into a botnet, or they may be remotely monitored and their private data continuously exfiltrated.

The Mobile Network Operator

The main consequence for MNOs is that subscribers, regulators and security agencies will increase pressure on them to improve security and protect subscribers, as well as defend against larger critical infrastructure attacks. The natural reaction to non-business driven change is to delay as much as possible to avoid additional costs. In the case of security however, this may be a dangerous path. If MNOs do not take the issue seriously, we might start seeing subscribers migrate from less secure networks to ones that offer a higher degree of protection.

The Industry as a Whole

Since the most recent reports and the rediscovery of signalling vulnerabilities at CCC in 2014, the industry has been very active and become more responsible about this problem. Many MNOs have initiated risk assessment programs and/or security audits of their networks in response. The GSMA takes signalling threats very seriously, and has appointed a dedicated sub-group to collate recommendations for dealing with signalling threats. These recommendations have been collected in a series of documents, and provide methods for monitoring as well as filtering SS7 and Diameter signalling networks. Regulatory bodies in various geographical locations are defining recommendations in parallel with the industry. Leading regions in information technologies, including the Nordics and the FCC in the USA, have already drafted recommendations and other nations are likely to follow. Watch this space for our next blog to see how signalling threats are affecting specific areas in the Telecom industry.

Originally posted on www.symsoft.com, find out more about Symsoft’s rebrand to Sinch in the press release here.

Based on our recent white paper, Signalling threats; SS7 & beyond, we take a look at the issues raised in the paper and how they are affecting the industry.