Security BSides CDMX

Mobile operators understand the SS7 security problem and protect signaling networks. We have found out SS7 has vulnerabilities that allow bypassing any security tools. I will demonstrate how an intruder can perform any attack against subscribers in mobile networks protected by mature security tools.

New technologies are constantly appearing in our life. Nowadays the mobile world is moving to 5G. However, there are billions of subscribers who still use GSM and UMTS networks, which rely on the SS7 (Signaling System #7) protocol stack. When the SS7 stack was being developed, it was supposed to be used as an isolated network within a small club of big telephone operators with a high level of trust. Developments in telecommunications brought their own correctives. Firstly, the number of operators has been growing rapidly. Secondly, in the early 2000s, SS7 got the possibility of sending signaling traffic over IP networks with a new specification called SIGTRAN. The SS7 network stopped being isolated and the small club stopped being small. Now an intruder can easily connect to an SS7 network and perform attacks specific to mobile operators, such as location tracking, service disruption, fraudulent activity, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA – the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks. Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update. I will demonstrate how an intruder can perform the above-mentioned attacks against subscribers in mobile networks protected by mature security tools. I will explain why it is possible and how networks and security equipment react to malicious traffic. In addition, I will give recommendations to mobile operators on how to improve security on their networks.