SS7 Exploits – Operators Call for Action

 In News, Operator News

During the yearlyGSMA SS7 Security hacker conference CCC in Germany 2014, Tobias Engel shocked the telecom industry with his speech on SS7 and how to locate, track and manipulate mobile subscribers [1].

Voice telephony is based on connections we call circuit switched. Think of them like a virtual cable that goes between the two people who are talking. In addition to this, there must be a mechanism to logically pull this cable between the two speakers when the call is initiated, and to tear it down when the call is concluded. In the early history, a human operator did this work. The next step was to automate this and machines had audible beeping in the same logical cable as the speech. The movie Sneakers [2] shows how The Whistler was able to mimic this in-band signalling to be able to call for free. As a next step, the signalling was extracted into a parallel (out-of-band) packet switched system, inaccessible to the subscriber. This parallel packet system is what is called Signalling System No 7, or SS7.

Communication today is normally implemented in the form of “stacks”, i.e. layers of communication with defined interfaces. On the internet you can run multiple application protocols on top of the IP layer. Browsing uses HTTP, file transfer uses FTP but anyone can build their own protocol on top of IP. As long as the sender and receiver understand the specifications, then IP can carry it nicely. The same is valid for SS7, where on the application layer you have ISUP (connections – call, hangup, CLI and so on), MAP (mobility and SMS), CAP (CAMEL, can be seen as an extension of MAP with functions for number manipulation, prepaid and so on).

Back when the signalling was moved out of band, the functions got to be secure again. This was due to the fact that the SS7 network was only accessible to state owned telecom operators. Since then, access to SS7 has been granted to other parties and as Mr Engel shows, this opens up an attack vector to the the entire telecom industry.

The internet industry knows that security in the form of firewalls must be established in order to protect the integrity of their subscribers. No ISP sells a router to you which doesn’t also feature an SPI firewall. Few companies run an office without a connection via a firewall. In the telecom industry, it’s up to the operators to secure their networks by installing SS7 firewalls. A shockingly low share of them do.

What is the SS7 firewall?

The MAP protocol [3] contains a number of functions for mobility management, especially in the context of roaming. A number of these are only relevant in the context of one’s own network. An SS7 firewall filters out queries from outside the network, that they have no reason to ask, unless it’s a grey use case.

So Mr. Engel presented this, but we are constantly warned about things and most of them are “cry wolf” instances. This is NOT one of these cases. Earlier this year, German subscribers were scammed while having bank accounts drained [4][5]. It’s quite a complex attack but one where access to “Two Factor Authentication” SMS (“2FA”) was pivotal to make the scam work.

So dear operators of the world – PLEASE implement SS7 firewalls. Secure the integrity of your customers so they cannot be located by any third party having SS7 access. Please secure their bank accounts by ensuring that 2FA cannot be intercepted. Please secure their prepaid buckets by ensuring manipulated USSD isn’t possible.

PS: 2FA using SMS is a great thing, if the operators do their part and have firewalls in place.

 

[1] https://www.youtube.com/watch?v=-wu_pO5Z7Pk

[2] http://www.imdb.com/title/tt0105435/

[3] https://en.wikipedia.org/wiki/Mobile_Application_Part

[4] https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

[5]https://arstechnica.com/SECURITY/2017/05/THIEVES-DRAIN-2FA-PROTECTED-BANK-ACCOUNTS-BY-ABUSING-SS7-ROUTING-PROTOCOL/