Exploring SS7 fraud, mobile network security and subscriber privacy
It’s been a transformative year for mobile technology. Networks are evolving quickly and consumers and enterprises have taken advantage of the abundance of new, “connected” opportunities. However, with changes in mobile innovation and technology comes increasing security issues, network vulnerabilities and data privacy which has become – and will continue to be – a major topic as we head into 2016 and beyond.
One security hot topic, which has received widespread publicity in 2015, is the vulnerabilities associated with SS7 signaling, as well as other signaling protocols’ such as SIP and Diameter. For those with a lesser technical background, signaling system 7 and other protocols are the telecoms network technology widely used by cellular companies to enable mobile subscribers to communicate with anyone, anywhere. Although designed as a “trusted network,” the fact is the network is not always as secure as was earlier believed. Potential threats to signaling networks, like SS7, are increasing across many sources and are beginning to be exploited by fraudsters and hackers with ill intent. Multiple recent news articles have revealed unauthorized access to the network is not only possible, but much easier than ever before.
This unauthorized access, coupled with a lack of end-to-end authentication, leaves mobile networks vulnerable to fraud and misuse, shaking consumer trust in the operator’s ability to provide privacy and prevent fraud. To date, loopholes in the SS7 protocol have been exploited to steal money, listen in on conversations, monitor messages, track a subscriber’s location, manipulate network and subscriber data and generally disrupt services.
Given that there are more users of the SS7 network worldwide than there are of the Internet, concern about SS7 security by operators and subscribers alike is widespread, serious and should be treated with utmost importance.
SS7: a vulnerable history
Signaling networks have gone through multiple stages of evolution. Originally, SS7 networks were very specific to mobile operators and required specialized equipment to arrange even for simple connectivity on a physical layer. This closed circle of users (limited to mobile operators only) combined with overall complexity of protocols ensured very controlled access to the signaling networks, making it nearly impossible to obtain access to an SS7 network through a remote, unauthorized host.
However, as early as 2008, SS7 vulnerabilities were openly discussed in public at the Chaos Computer Club Conference in Germany. A German researcher demonstrated how the location of a mobile phone could be determined. Prior to that, we now know that telecom engineers warned of possible risks and even high-level government officials were aware of the threat and voiced concern. It was again in 2013 that these issues came to light, when it became known that a government security agency had exploited SS7 vulnerabilities for surveillance purposes.
While the technology dates back to the 1970s, the process of placing voice calls on modern mobile networks is still based on the same SS7 technology. New signaling transport protocols known as SigTran are deployed, which allows SS7 to run over IP. The ultimate goal of SigTran was to move from converged TDM/IP network to an all IP network, taking advantage of bandwidth, redundancy, reliability and access to IP-based functions and applications.
Additionally, newly deployed “4G” networks use the same concept of an all-IP network and have adopted Diameter as the signaling protocol that runs over IP. The technological concept for providing end-user services within the evolved packet cores enables similar procedures as SS7-based networks.
Yet, moving onto IP has not resolved the issues, it has in fact unfortunately provided new points of vulnerability. Important information has become exposable beyond the circle of trust within mobile operators, and the risk of privacy intrusions can quantify in the millions, depending on the case. This can lead to huge damages not only to the operator, but also affect direct revenue due to the loss of VIP customers, enterprise customers and legal exposures.
SS7: the central nervous system of the network
Think of the mobile network as human anatomy. Signaling is the central nervous system of the mobile operator’s network, with mission-critical real-time data on subscriber identity, status, location, traversing the network. This data enables the authentication of subscribers and their devices, performs call setups, authorizes charging, enforces data policies, manages quality of service and enacts roaming or interconnection agreements. Gaining access to such pertinent information can be extremely beneficial for commercial purposes, but it can also be very risky if used by the wrong people.
Someone with an appropriate level of technical skill and malicious intent can easily exploit the mobile network and its subscribers. Hacking into networks is not as nearly as difficult as we had previously thought, proving in today’s world that keeping the mobile network secure is pertinent for both public safety and privacy.
Signaling fraud: how it happens
Attackers with the right expertise build nodes to emulate network elements while acting within a mobile network or on behalf of it. Simulated elements range from base transceiver stations to mobile switching centers, gateway GPRS support nodes to short messaging service centers. While location data is used by the operator to perform certain legitimate and acceptable functions (think of mobile banking services), the IP as transport layer was not designed to detect acceptable versus unacceptable traffic. There are a number of entry points in a signaling network, which can be exposed at various levels. These exploits to take various forms including:
- Obtaining the mobile subscriber’s confidential identity.
- Determining subscriber’s location.
- Blocking a subscriber from receiving incoming calls and texts.
- Intercepting a subscriber’s incoming text messages.
- Sending a request to transfer funds between a subscriber’s accounts.
- Manipulating the subscriber’s profile to bypass billing.
- Redirecting the incoming calls.
- Denying the incoming calls.
With each exploitation, hackers have specific goals for targeting subscribers. For operators, it is important to recognize these threats before they become full blown attacks and result in business revenue loss, customer dissatisfaction and fraud.
SS7: Looking ahead – solving the signaling security problem
The mobile ecosystem has begun to define recommendations, build and implement solutions to detect as well as prevent potential attacks. Operators need a solution that is easy to deploy yet comprehensive and ideally one that overlays the existing architecture. That means integration should be flexible and eliminate the need (and expense) of redesigning the underlying signaling network architecture. The objective is not to merely block suspicious traffic but to use global threat intelligence and advanced analytics to secure the network against privacy and fraud attacks.
There are several layers of protection that can be put in place to prevent attacks. These layers include:
- Filter and control incoming MAP/CAP request received
SS7 MAP/CAP operation level control should prevent unauthorized usage of the network primitives revealing location and subscriber identity. This measure that often can be configured at the STP level is necessary but not exhaustive. The same interconnect elements originating legal MAP/CAP requests might still be used by the attacker as an entry point into the network. To efficiently address this aspect of fraud control, validation of requests should happen across all the layers of the SS7 stack.
- Active validation of the originating entity
For any suspicious operation received from outside of the network originated on behalf of own subscriber, the actual location (VLR/MSC) of the subscriber should be validated. This is known as an anti-spoof technique which is often used for mobile originated text messages; however there is a whole range of MAP/CAP operations where this technique should be applied.
- VLR/MSC update validation
The mobile nature of cellular communication assumes that subscribers are on the move. At the same time, it is physically impossible that the same subscriber will be appearing in the different parts of the world within a short time period. When a roaming subscriber identifies itself in one European country (for example Germany), it is physically impossible that the same subscriber can appear somewhere in Asia or Latin America in the next ten minutes. Such a situation should raise an alarm at the operator security department.
- Detection of the unusual MSU sequences
Various optimizations and multi-year staged expansions of the signaling networks has led to a number of non-standard interactions between various network elements. These types of interactions are usually abused by the attackers to create grey-routes and masking individual subscriber attacks.
- Offline data analytics
Though some of the attack techniques have been identified and can be disclosed using one of the measures mentioned above, it should be recognized that attackers will be exploiting more and more ways to break subscriber privacy or harm the mobile network. Therefore any unusual activity should be detected in near real-time mode using modern, big data analytical tooling. As a result of such analysis, the source of the potential suspicious activity can be identified enabling enforced control on discovered network elements or subscribers.
Simplistic IP firewall protection methods are not sufficient to detect and resolve the large majority of these vulnerabilities. Instead, a comprehensive layer-distributed solution in the form of a signaling firewall is required. The firewall should contain a powerful rules engine that enables screening of traffic by exposing parameters from all relevant SS7 stack layers for comparison and validation between each other and preconfigured parameters combined with the techniques mentioned above. It must also address not only today’s threats but be sufficiently flexible and dynamic to be capable of addressing those that are yet to come. Ideally, the solution would provide an easy to use interface, real-time access to information, predefined and just-in-time filters and underlying support from a world-class data engine.
Given that mobile communications is a prime target for hackers who desire to penetrate critical infrastructures and businesses, operators need to be aware of the types of attacks and tools that are used by spammers, scammers and fraudsters, but also show how a network can be audited and protective measures put in place quickly before subscribers, organizations, and even governments fall prey to misuse and are severely impacted. It is imperative that the ecosystem work together to build these critically needed solutions.
Jim Saunders is the EVP of Digital Communications at Xura, a global telecommunications company offering a portfolio of digital services that enable global communications across a variety of mobile devices and platforms.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: [email protected].
