For the past decades, SS7 protocol has been our closest neighbor to support the roaming infrastructure. However, with untrusted agents exploiting this protocol and the migration to 5G, many operators are at risk of security data breaches and the inability to switch to 5G secure infrastructure fast. Especially now, when major cybersecurity organizations (ENISA) include signaling security in their 5G networks threat landscape, SS7 protocol has to come into the spotlight during the design stage.
Our live webinar, hosted by our telecom experts Federico Aureli, Technical Security Specialist, and Milan Brezina, Telecom and SMS fraud expert, reveals the trending topics in SS7 security and explains:
- Why SS7 will stay a long time even in the era of 5G
- Why mobile operators should take into account SS7 weaknesses
- What SS7 protocol real-life fraud cases exist
Follow us on LinkedIn to keep up with our upcoming webinars and events: https://www.linkedin.com/company/positive-tech
How to Troubleshoot Apps for the Modern Connected Worker
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
1. DURING THE 5G MIGRATION AND FAR BEYOND
SS7: THE BAD NEIGHBOR YOU'RE STUCK WITH
2. Speakers
FEDERICO AURELI
Technical Security Specialist
Member of Expert and Delivery Team
15 years experience in Cybersecurity
MILAN BŘEZINA
Telecom and SMS fraud expert
Gained Ph.D. Of Telecommunication in 2007
12 years experience of Messaging and Security
3. Agenda
About us
Migration process
Statistics about your neighbour
Real examples (demo)
GDPR and our privacy
Our answer to migration
4. Positive Technologies
18 years
of experience
in security development
and research
200+
zero-day vulnerabilities
discovered yearly
Recognised global security driving force
+ others
UK, London (Headquarters)
Italy, Rome
Czech Republic, Brno
Russia, Moscow
Brazil, Sao Paulo
South Korea, Seoul
Global presence
5. Analytics and research
Responsible disclosure — responsible attitude
2014
Signaling System 7 (SS7)
security report
2014
Vulnerabilities of mobile
Internet (GPRS)
2016
Primary security threats
to SS7 cellular networks
2017
Threats to packet core
security of 4G network
2017
Next-generation networks,
next-level cybersecurity
problems (Diameter
vulnerabilities)
2018
SS7 Vulnerabilities and
Attack Exposure Report
2018
Diameter Vulnerabilities
Exposure Report
2019 5G Security Issues
2020
SS7 network security
analysis report
2020
Security assessment
of Diameter networks
2020 Threat vector GTP
6. Now what can a Hacker do?
Easily
From
anywhere
Any mobile
operator
No special
skills needed
Steal your money
Get access to your
email and social media
Track your location
Intercept your data, calls
and SMS messages
Take control of
your digital identity
From
GSM to 5G
Different Protocols
Same Threats
Perform massive denial
of service attacks
7. Realities: the question
is not “will I be hacked or not” ...
of SMS messages
can be intercepted
9out of 10
of networks fail to
prevent bypass of
Firewall protections
67% ALL
LTE networks are
vulnerable to denial
of service attacks
hours
average subscriber
down-time after
a DoS attack
3
…the question is “when it will happen
and how painful will it be”
11. 5G Roaming zoom-in
SEPP SEPPROAMING
PARTNER
HOME
OPERATOR
VISITING
NETWORK
HOME
NETWORK
Data
network
12. Evolution of mobile technologies
Analogue
1980 1991 1999 2001 2005 2010 2017
1G 2G 2.5G+ 3G 3.5G 4G 5G
SS7
GTP
SIP
4.5G
APIs
Diameter
2019
Continual introduction of new use cases, change of importance to society
18. Under 1 in 4
Firewalls were
able to successfully
secure the network
57% of SMS
Rome Routing
Platforms can
be circumvented
SS7 By-Pass Statistics
19. Percentage of successful attacks aimed at disclosing a subscriber's location
Subscriber location disclosure
Vulnerabilities exposing IMSIs
(percentage of successful attacks)
20. Percentage of successful attacks aimed at disclosure of subscriber informationVulnerabilities exposing IMSIs
(percentage of successful attacks)
Subscriber information disclosure
21. Percentage of successful attacks aimed at network information disclosureVulnerabilities allowing network information
disclosure (percentage of successful attacks)
Network information disclosure
24. COMPONENT PORTION — OPTIONALCOMPONENT PORTION — OPTIONAL
Example: Double MAP attack
STP
SS7 FW
MSC/VLR
PBX
TCAP Begin
Data_REQ
Data_REQ
Inspect the first component only and
forward the message to the network
Send the message to the
SS7 FW for inspection
TCAP MESSAGE TYPE — MANDATORY
TRANSACTION IDS — MANDATORY
DIALOGUE PORTION — OPTIONAL
COMPONENT 1
COMPONENT 2
26. Percentage of successful call and SMS interception attempts
The interception
of SMS messages
is one of the
greatest threats
facing mobile
operators today.
When this information is leaked, it can seriously
damage an operator's reputation in the eyes
of clients and lead to significant losses.
Example: Interception of SMS
28. GDPR as additional risk
And this fact provides
an opportunity for unscrupulous
actors to take advantage…
Could telecom operators be at
additional risk?
Beyond internal data safeguards, information
obtainable via unprotected telecom networks could also
constitute a breach.
Huge fines:
€10M–€20M, or 2%–4%
of annual revenue,
whichever is greater.
29. Identification &
Contact Information
Metadata Location Information
Metadata Traffic Information
Subscription Information
Financial &
Content Information
Internal Identifier
GDPR & Telecom Networks
TELEPHONE NUMBER
CELL ID, CELL TOWER LOCATION
LIST OF SERVICES TO WHICH A
CUSTOMER HAS SUBSCRIBED (PROFILE)
SERVICE ID (NA OR MSISDN),
DEVICE ID (EMEI, IMSI)
IP ADDRESS, APN
SMS & CALLS
30. MNO/MVNO
SIGNALING
NETWORK
1. Attacker gathers any information
possible from the target network
2. All information is used to create
as big a database of information
as possible from the target
operator
3. Attackers informs target operator
of breach, demanding a ransom
to not expose stolen data
4. Operational and
administrative overhead
plus reputational
damage as Customer
Notification completed
5. If no monitoring solutions
are in place to check
claim, no choice but to
inform GDPR regulator
6. Possible severe
fine: €10M–
€20M, or 2%–
4% of annual
revenue
Example how to exploit GDPR
31. Detect
Non-stop real-time threat detection is essential for
verifying the effectiveness of network security and
supporting rapid detection and mitigation
Respond
Completely secure your network by addressing both
generic vulnerabilities (GSMA) and the threats that
actually affect you as part of an ongoing process.
Audit
Auditing provides essential visibility to fully
understand your ever-changing network risks.
Audit
Detect
Respond
Start your new mission today
32. V V V
NgFWFW/IPSIDS
Full solution, Full
protection
IDS + FW modules
(NgFW)
Bypass analysis
True Network visibility,
continuously monitoring and
advanced analytics.
Augments already existing
FW investments if present
Optional FW/IPS
module available by
simple licnese
upgrade from IDS
installation or as
standalone solution
PT TAD: Full Protection Visibility
33.
34. ENISA estimates that only
30% of EU operators have
implemented GSMA
security guidelines
GSMA COMPLIANCE
CHECK
The quickest way to ensure
compliance with GSMA
FS.11
FS.19
IR.82
35. Recap
5G NSA SECURITY IS IMPOSSIBLE WITHOUT
SIGNALLING LEVEL PROTECTION
CHALLENGING MIGRATION
TURN THE NEGATIVE STATISTICS
FULL SECURITY REQUIRES FULL VISIBILITY
A: Welcome everyone. My name is Federico Aureli and I work in Positive Techologies since 2016. I‘m member of Expert and Delivery Team. Considering In pair everything goes better, today I‘m glad to be here with my colleague Milan. Ciao Milan.
B: Ciao Fede. I agree with you. Let me introduce myself. Its been my seconds seasson in PT but I gained lot of experience of messaging and security in my previous life. I hope I will learn something new today. So This is us - indeed more can be found in our private Linked-In accounts.
A: Anyway we are proud we can work for this great company
B: Here comes the agenda for today. Let me remind you any time you feel bored you might seek for any other fancy webinars on our PT – YouTube channel, from all I can recommend the one about 5G and calling Huston.
This my favourites one, english guy trying to convince people living in London to not destroy newly installed 5G antennas.
A: Good point for everyone on this call, 5G antennas has nothing to do with Corona virus or Brexit – really ...
B: A little about us.
PT is a company which puts the research on the center of all its activities. This is our key differentiator all we get from research is further propagated into our product and services portfolio.
A: Researching Vulnerabilities on different environments, from more standard ones like IT, Web Applications to more niches one like Telecom and IoT, Industrial, banking & payment systems. Active participation in regulator bodies such as GSMA.
B: As you can see and I think we repeat this over and over, we are researcher, If you are interesting in any of our recpent papers, go and visit our web positive-tech.com
A: If Iam not mistaken, this year we‘ve released SS7, Diamater and GTP papers
B: You remember it correctly
A: Let‘s see at this picture about what an hacker can do using SS7 flaws. Consider that SS7 is used by over 800 global telecoms, it’s insecure because when it was created it has no security in its design and nowadays it can still be easily compromised by hackers**
B: Looks like hackers can do almost everything,
A: You are right, there is pretty large perimeter of what can be done through your SS7 neighbors but it‘s not only limited to SS7, the other signaling guys are vulnerable the same way.
B: A scary slide I would say
A: But this is the reality
B: What takes 3 hours to recover the DoS ?
A: We‘ll see this in next slides, but you know better than me that this is an average time based on our experience. Sometimes processes make the recover phase even more challenging
B: let me once more touch 5G antennnas in UK, this was a first step of every MNO I know on the transformation way. They build up new radio and keep the exisitng EPC, but beside they probably already have virtuallized 5G core.
A: So even with 5G RAN you still communicate on 4G or 3G to your roaming partner?
B: Thats correct, you can aslo add IPX providers this is also a significant group
A: I see
A: but in case of 5G SA core the story changes and EPC is used for Partners and Internet
B: Even LTE-only networks using the Diameter protocol instead of SS7 or even next-generation 5G networks must interconnect with previous-generation networks.
A: Yes, and for this reason all partners or emerging MNO using SS7 needs to be supported. This is the so-called fallback
B: Or better backward compatibility
A: What about roaming?
A: This is the ideal world where everyone uses 5G
B: Whats this? Better to simplified that....
A: Let‘s have a simplified zoom…click
B: In the ideal world everyonce uses SEPP and that time we are happy and can go home.
A: Sorry but since March I work constantly from home, did you forget Corona virus?
B: aaa you right, anyway this is a nice vision – Every one is happy, but fallback or backward compability makes this more complicated
A: Do you think that SEPP will take dacades to be adopted by all the roaming partners?
B: Unfortunately I think so. SEPP will properly work only in case where both parties adopt 5G technology, so we‘ll need a lot of time before we‘ll see such communication scheme fully working.
A: Before to talk about new network generations, let‘s have a look to the „G“ evolution
B: sure, as you can see it started by SS7, its been almost 3 decades and SS7 is still worth to consider
A: So we still need to count with SS7. Now let‘s see the market penetration of each technlogy, this might be interesting
– next page
B: I dindt expected this. SS7 (Signaling System No. 7) is a set of protocols governing the exchange of signaling messages on control plane.
A: The issue with SS7 is that it’s no longer isolated as it was when implemented: it can be accessed by both legitimate operators and by illegitimate attackers, which is stil true.
B: You could think that everything is going to finish with the progressive implementation of 5G, but it’s not true until at least 2025 SS7 will continue significant player. But I suppose its vulnerabilities have been mitigated during all this time…
A: Can you see any significant progress within last 3 years?
B: Progress maybe, but if significant hard to say
A: As you can see, in our 2018 analysis of SS7 vulnerabilities, we noted gradual security improvements in SS7 networks.
B: Operators are still taking steps to improve security, but it seems they are doing without a systemic approach needed to compensate for those flaws.
A: You‘re right and so long as this remains the case, there will be gaps in security that can be exploited by attackers. Let’s have a look to Diameter…
B: please don’t ask me whether I see any improvement.
A: Don’t worry, I wont. As everyone see, The last two years have brought almost no improvement in the security of Diameter networks. All the tested networks were vulnerable to denial of service, which pose a direct threat even to IoT devices.
B: Non Stand alone 5G means subscribers counting on the advantages of 5G, including improved security, are still susceptible to 4G threats.
A: Do you know why we didn’t see the expected improvements?
B: I can imagine. Something related to security feature implementation?
A: Yes, but not only. These security features, even when installed and implemented, are not always correctly configured, which creates security gaps. Thus, the increased number of successful attacks in 2019 was due to both a general lack of traffic filtering and blocking systems as well as security gaps that allowed attackers to bypass these systems. In almost half of the networks studied, configuration errors in equipment at network boundaries allowed illegitimate requests to bypass.
B: Exactly. Just as an example for our audience, SMS Home Routing, which is used to guarantee proper routing of terminating SMS messages, even if strictly speaking is not a security feature, its use does prevent some attacks aimed at disclosing subscriber information and operator network configurations. But if it’s not rightly implemented and maintained you can have a false sense of security…
A: GTP protocol is more recent. As seen in the prevoius slide, it has been introduced in 2001 but it seems to suffer almost the same security issues…
B: Yes, Fede, you‘re right. Based on our researches on the field, even GTP can be a threat vector. DoS and Fraud are still possible and the main flaw is that the user actual location is not checked and this is responsible for half of successful attacks
A: Impressive. I suggest to our guests to visit Positive Technologies web site and download the full research: a lot of interesting stuff there.
A: Need more?
B: Only if you show me positive numbers
A: All my numbers are positive....
B: I see, positive numbers, i miss the year here?
A: All the statistics w‘re going to show now are average numbers from our security assessments from years 2019 and 2018
B: Let me ask then a question, how many assessment we made last year?
A: 76 security assessments
B: not bad, this is then a representative sample
A: Yes, and as you can see in these delicious donuts, only 25% percent of firewall and more than half SMS Home Routing Solutions were able to secure the network
B: …impressive. So, it‘s not only important to have the right equipment, but it‘s important to configure it properly and maintain it up to date. This is really important
A: In the past two years, the number of networks in which an attacker can track a subscriber's location has grown.
SS7 filters can be bypassed due to config issue, outdate DB, etc
B: Does this mean that Attackers can make changes in a subscriber's profile that allow them to receive information about the subscriber's location every time that subscriber makes a call?
A: Yes,it does. The ability for attackers to track a subscriber's location is directly related to a fundamental flaw in SS7 architecture. In certain cases it is impossible to establish whether a subscriber is affiliated with the network from which a signaling message originated.
B: And if I understand this correctly, to prevent attacks, it is essential that filtering is correctly configured on end-user equipment and at network boundaries. In addition, signaling messages must be constantly monitored and analysed.
A: you learn quckly....and it‘s not all…
B: yet another disclosure, I see
A: Exactly. However, operators are well-informed about this problem and they’re taking protective measures to prevent the disclosure of this information. Most methods used to disclose IMSIs require signaling messages that should not ever come from external networks, so it is not particularly difficult to block such attacks.
B: So , Generally, an attacker must know a subscriber's IMSI (International Mobile Subscriber Identity) as well as network equipment addresses in order to carry out an attack.
A: Yes, it’s usually the first step for the majority of attacks. And it’s not the only interesting disclosure can happen. Let’s see another disclosure example
B: Who cares about Network disclosure and why?
A: In our study, the majority of successful attacks utilized the absence of signaling traffic filtering or bypassability of SMS Home Routing.
B: This means, Information about network configuration is necessary for most attacks, which motivates attackers to seek out the addresses and functional roles of network equipment.
A: exactly. In isolated cases, attackers having such information also succeeded in bypassing the filtering of specialized security features.
B: My lovely DoS, for some reason these have my sympaty - Attacks are generally carried out via requests aimed at changing settings in a subscriber's profile.
A: And it‘s not all…In some cases, restarting the subscriber's device is not enough to re-establish a connection—the subscriber has to actually change the network settings by hand or going to a different location in order to reconnect to another MSC.
B: aaa Fraud, I was waiting whether you should me this or not
A: Why not? Every network that we tested in 2019 exposed vulnerabilities that could be exploited in financially-motivated attacks targeting both telecom providersand their clients with money loss for both
B: Enough numbers, give me example a show me more
A: As you wish
B: Can you imagine,someone gives you more than you expect?
A: I can. Let‘s see this kind of attack, it‘s named double MAP.
B: what is it exactly?
A: The TCAP message is composed by several portions, some of them mandatory (click) and others just optional (click). The intruder craft a special message with two different operations inside to bypass security measures.
B: How the equipments react to this?
A: Imagine, as an example, the first operation is InsertSubscriberData without an identifier of subscriber. The second operation is DeleteSubscriberData with the target subscriber IMSI. The attacker sends this message to the target network (click). The STP receives the message and sends it (click) to the SS7 firewall that inspects the first component only, defines that it does not have an identifier, (click) and forwards to message to the destination node. As easy as to stole an ice cream to a child.
B: So using this you fool STP as well as Firewall, excellent.
A: Do you want to see this in reality?
B: Yes, please
A: Live demo are always challenging, so let’s pray for the God of demo to avoid something unexpected happens
B: here I know this.... This is related to 2 Factor Authentication, am I right?
A: Not necesarilly, but partialy you are right. In fact much more can be done with interception,you want to see an example?
B: Yes please
A: What about GDPR impacts of all this?
B: Let’s have a look to the next slide
- NEXT SLIDE -
A: By this slide we open a really huge topic called GDPR.
B: Looks like a variation of GPRS
A: Something like this, it was not a common to build security by the law/design especially if you work in IoT industry
B: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem
A: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach.
B: And this fact provides an opportunity for unscrupulous actors to take advantage…
A: Indeed, can you imagine huge fines:€10M–€20M, or 2%–4% of annual revenue, whichever is greater.
B: Something like this. It defines, among others, the concept of „Security by design“. Everyone should implement infrastructure taking security in a very serious consideration. It was not a common to build security by the law/design especially if you were in IoT industry
A: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem
B: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach.
A: And this fact provides an opportunity for unscrupulous actors to take advantage. Furthermore, besides reputational loss, fines for violations are really huge: up to €20M or 4% of annual review.
A: Here just a small list of the GROUPS AND THE ATTACKS THAT can be done
B: We are aware of over 20 major personal data groups which all contain various quantities of individual data types.
A: Maybe you want to ask for an example on how to exploit all of this?
B: Fede, can you give me an example please?
NEXT slide
A: Let‘s describe a potential way
A: 1, 3, 5
B: 2, 4, 6
B: So, is there any solution or better right apprach to minimaze the impact of all we‘ve spoken so far?
A: Yes, here you are
HOW A HACKER CAN DO IT C=GAIN LOST OF INFORMATION
A: Telecom Operators should implement a virtuous circular process like the one shown in this slide
B: Audit, Detect and Respond. BTW nice circle very similar to square
A: What is important to underline is that this process is continuous and should not be done only once.
B: Yes, the network changes constantly, evolves, new functions are added. The attack surface can change. For this reason this squared circle flow should be constant.
A: …and our technology can help our Customers…
NEXT SLIDE
B: I always wanted to know how Lego‘s bricks stick together.
A: I think all you need to know is that if you put them together they really stick
B: But this slide is not about Lego it shows that 1+1 can be more than 2 if you combine right products
NEXT SLIDE
A: You are totally right, alone with IDS or IPS you never get such a comprehensive view of your network and significant advantage to combat against incoming threats. Our Firewall combined with our best-in-class intelligence has been recognized as top-tier signaling technology for the second year in a row.
B: It’s absolutely great!! So 1+1 it’s equal 3 in this case. But what if also due to Corona virus can‘t invest, can I get something let say for FREE?
A: For Free? You know what? Yes you can get our GSMA free of charge compliance check of your SS7 signaling network.
B: really? But what’s the difference between paid and free service?
NEXT SLIDE
A: As you can see up to 75 test cases will be used for our GSMA Compliance Check
B: Very interesting, but what about if I don't want to touch my running configuration
A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way
B: Amazing what about report?
A: This is the final stage where we deliver the report to you.
B: I see I can get a lot of information. Which are the sources you refer to run these checks?
A: Our Compliance check is based on GSMA guidelines and it’s composed by up to 75 tests.
B: Great to know. ENISA estimates only 30% of EU operators have implemented such security guidelines. Very interesting, but what about if I don't want to touch my running configuration
A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way
B: And if I need more?
A: If you need more, you can ask for further services like our Telecom Security Audit where our experts perform deeper checks and also bypass techniques are tried.
B: I heard about it, it‘s very useful to dig deeper on my signaling network and have a full picture of my security posture
B: We almost are running out the time , so let’s recap we have learnt from this call
B: Don’t forget that 5G NSA it uses previous generation backend
A: Exactly for this reason, migration to 5G might be very challenging and SS7/Diameter vulnerabilities can‘t be forgotten
B: We need to push MNOs to turn the negative trend. Security features must be always keep updated and well configured
A: Privacy always first. Regulations are going to be strict and users requires it always more
B: and Full visibility is the must these days...with PT TAD it’s easier than has ever been, Ill pauze here
and this is all from me and Federico, now its your turn, you can ask your questions.
BTW: if you liked our webinar, let it know to your friends, if not, tell it to us