SlideShare a Scribd company logo

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

Download as PPTX, PDF
P
PositiveTechnologies

For the past decades, SS7 protocol has been our closest neighbor to support the roaming infrastructure. However, with untrusted agents exploiting this protocol and the migration to 5G, many operators are at risk of security data breaches and the inability to switch to 5G secure infrastructure fast. Especially now, when major cybersecurity organizations (ENISA) include signaling security in their 5G networks threat landscape, SS7 protocol has to come into the spotlight during the design stage. Our live webinar, hosted by our telecom experts Federico Aureli, Technical Security Specialist, and Milan Brezina, Telecom and SMS fraud expert, reveals the trending topics in SS7 security and explains: - Why SS7 will stay a long time even in the era of 5G - Why mobile operators should take into account SS7 weaknesses - What SS7 protocol real-life fraud cases exist Follow us on LinkedIn to keep up with our upcoming webinars and events: https://www.linkedin.com/company/positive-tech

Technology
1 of 36
DURING THE 5G MIGRATION AND FAR BEYOND SS7: THE BAD NEIGHBOR YOU'RE STUCK WITH
Speakers FEDERICO AURELI Technical Security Specialist Member of Expert and Delivery Team 15 years experience in Cybersecurity MILAN BŘEZINA Telecom and SMS fraud expert Gained Ph.D. Of Telecommunication in 2007 12 years experience of Messaging and Security
Agenda  About us  Migration process  Statistics about your neighbour  Real examples (demo)  GDPR and our privacy  Our answer to migration
Positive Technologies 18 years of experience in security development and research 200+ zero-day vulnerabilities discovered yearly Recognised global security driving force + others UK, London (Headquarters) Italy, Rome Czech Republic, Brno Russia, Moscow Brazil, Sao Paulo South Korea, Seoul Global presence
Analytics and research Responsible disclosure — responsible attitude 2014 Signaling System 7 (SS7) security report 2014 Vulnerabilities of mobile Internet (GPRS) 2016 Primary security threats to SS7 cellular networks 2017 Threats to packet core security of 4G network 2017 Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2018 SS7 Vulnerabilities and Attack Exposure Report 2018 Diameter Vulnerabilities Exposure Report 2019 5G Security Issues 2020 SS7 network security analysis report 2020 Security assessment of Diameter networks 2020 Threat vector GTP
Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Steal your money Get access to your email and social media Track your location Intercept your data, calls and SMS messages Take control of your digital identity From GSM to 5G Different Protocols Same Threats Perform massive denial of service attacks
Realities: the question is not “will I be hacked or not” ... of SMS messages can be intercepted 9out of 10 of networks fail to prevent bypass of Firewall protections 67% ALL LTE networks are vulnerable to denial of service attacks hours average subscriber down-time after a DoS attack 3 …the question is “when it will happen and how painful will it be”
Interconnect Partners & Internet EPC (NSA Option #3) Virtualized 5G Core (testbed) 5G RAN LTE Evolved Packet Core (EPC)
Interconnect Partners & Internet Virtualized 5G Core EPC 5G RAN LTE 5G Core
network 5G Roaming zoom-in AMF UPF Data SMF AUSF NSSF PCF NEF AF UDM Service based architecture 5G architecture — by Rajorshi Pathak VISITINGNETWORK SEPP SEPP NRF HOMENETWORK NEF PCF NRF AUSF UDM
5G Roaming zoom-in SEPP SEPPROAMING PARTNER HOME OPERATOR VISITING NETWORK HOME NETWORK Data network
Evolution of mobile technologies Analogue 1980 1991 1999 2001 2005 2010 2017 1G 2G 2.5G+ 3G 3.5G 4G 5G SS7 GTP SIP 4.5G APIs Diameter 2019 Continual introduction of new use cases, change of importance to society
Source: https://www.gsma.com/wp- content/uploads/2019/04/The-5G- Guide_GSMA_2019_04_29_compressed.pdf Market Share
2017 2018 2019 Subscriber information disclosure 100% 100% 100% Subscriber location disclosure 75% 83% 87% Network information disclosure 63% 68% 87% SMS interception 89% 94% 86% Call interception 53% 50% 58% Fraud 78% 94% 100% Subscriber DoS 100% 94% 93% No security improvement
Threats on Diameter
Threats on GTP
MORE? NEED
Under 1 in 4 Firewalls were able to successfully secure the network 57% of SMS Rome Routing Platforms can be circumvented SS7 By-Pass Statistics
Percentage of successful attacks aimed at disclosing a subscriber's location Subscriber location disclosure Vulnerabilities exposing IMSIs (percentage of successful attacks)
Percentage of successful attacks aimed at disclosure of subscriber informationVulnerabilities exposing IMSIs (percentage of successful attacks) Subscriber information disclosure
Percentage of successful attacks aimed at network information disclosureVulnerabilities allowing network information disclosure (percentage of successful attacks) Network information disclosure
Subscriber DoS Percentage of DoS attacks that were successful
Frauds Percentage of successful fraud attempts
COMPONENT PORTION — OPTIONALCOMPONENT PORTION — OPTIONAL Example: Double MAP attack STP SS7 FW MSC/VLR PBX TCAP Begin Data_REQ Data_REQ Inspect the first component only and forward the message to the network Send the message to the SS7 FW for inspection TCAP MESSAGE TYPE — MANDATORY TRANSACTION IDS — MANDATORY DIALOGUE PORTION — OPTIONAL COMPONENT 1 COMPONENT 2
Double MAP attack TAD Demo on Double Map
Percentage of successful call and SMS interception attempts The interception of SMS messages is one of the greatest threats facing mobile operators today. When this information is leaked, it can seriously damage an operator's reputation in the eyes of clients and lead to significant losses. Example: Interception of SMS
Interception of SMS TAD Demo on SMS
GDPR as additional risk And this fact provides an opportunity for unscrupulous actors to take advantage… Could telecom operators be at additional risk? Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. Huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
 Identification & Contact Information  Metadata Location Information  Metadata Traffic Information  Subscription Information  Financial & Content Information  Internal Identifier GDPR & Telecom Networks TELEPHONE NUMBER CELL ID, CELL TOWER LOCATION LIST OF SERVICES TO WHICH A CUSTOMER HAS SUBSCRIBED (PROFILE) SERVICE ID (NA OR MSISDN), DEVICE ID (EMEI, IMSI) IP ADDRESS, APN SMS & CALLS
MNO/MVNO SIGNALING NETWORK 1. Attacker gathers any information possible from the target network 2. All information is used to create as big a database of information as possible from the target operator 3. Attackers informs target operator of breach, demanding a ransom to not expose stolen data 4. Operational and administrative overhead plus reputational damage as Customer Notification completed 5. If no monitoring solutions are in place to check claim, no choice but to inform GDPR regulator 6. Possible severe fine: €10M– €20M, or 2%– 4% of annual revenue Example how to exploit GDPR
Detect Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation Respond Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process. Audit Auditing provides essential visibility to fully understand your ever-changing network risks. Audit Detect Respond Start your new mission today
V V V NgFWFW/IPSIDS  Full solution, Full protection  IDS + FW modules (NgFW)  Bypass analysis  True Network visibility, continuously monitoring and advanced analytics.  Augments already existing FW investments if present  Optional FW/IPS module available by simple licnese upgrade from IDS installation or as standalone solution PT TAD: Full Protection Visibility
ENISA estimates that only 30% of EU operators have implemented GSMA security guidelines GSMA COMPLIANCE CHECK The quickest way to ensure compliance with GSMA FS.11 FS.19 IR.82
Recap  5G NSA SECURITY IS IMPOSSIBLE WITHOUT SIGNALLING LEVEL PROTECTION  CHALLENGING MIGRATION  TURN THE NEGATIVE STATISTICS  FULL SECURITY REQUIRES FULL VISIBILITY
@positive-tech Positive Technologies THANK YOU contact@positive-tech.com positive-tech.com

Recommended

SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondSiddharth Rao
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 

Recommended

SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondSiddharth Rao
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsGerry O'Prey
 
Creating a smarter world with eSIM
Creating a smarter world with eSIMCreating a smarter world with eSIM
Creating a smarter world with eSIMJT IoT
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Telecom Security
Telecom SecurityTelecom Security
Telecom SecurityPriyanka Aash
 
Security in Mobile Computing
Security in Mobile ComputingSecurity in Mobile Computing
Security in Mobile ComputingMeghaSingla7
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Securitykentquirk
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
Steganography.
Steganography.Steganography.
Steganography.yprajapati
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIMNaveen Jakhar, I.T.S
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityAgris Ameriks
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and ThreatsMarketingArrowECS_CZ
 
Encryption technology
Encryption technologyEncryption technology
Encryption technologyNeha Bhambu
 
Mobile computing security
Mobile computing securityMobile computing security
Mobile computing securityZachariah Pabi
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 
Encryption
EncryptionEncryption
EncryptionJadavsejal
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 

More Related Content

What's hot

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsGerry O'Prey
 
Creating a smarter world with eSIM
Creating a smarter world with eSIMCreating a smarter world with eSIM
Creating a smarter world with eSIMJT IoT
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Security in Mobile Computing
Security in Mobile ComputingSecurity in Mobile Computing
Security in Mobile ComputingMeghaSingla7
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Securitykentquirk
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
Steganography.
Steganography.Steganography.
Steganography.yprajapati
 
Encryption technology
Encryption technologyEncryption technology
Encryption technologyNeha Bhambu
 
Mobile computing security
Mobile computing securityMobile computing security
Mobile computing securityZachariah Pabi
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 

What's hot (20)

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMs
 
Creating a smarter world with eSIM
Creating a smarter world with eSIMCreating a smarter world with eSIM
Creating a smarter world with eSIM
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
 
Security in Mobile Computing
Security in Mobile ComputingSecurity in Mobile Computing
Security in Mobile Computing
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
Steganography.
Steganography.Steganography.
Steganography.
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIM
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Encryption technology
Encryption technologyEncryption technology
Encryption technology
 
Mobile computing security
Mobile computing securityMobile computing security
Mobile computing security
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
Encryption
EncryptionEncryption
Encryption
 

Similar to SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 
7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forumkkvences
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfSecurityGen1
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenSecurityGen1
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceSecurityGen1
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesPositiveTechnologies
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationPositiveTechnologies
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Team Finland Future Watch
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Entersoft Security
 
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdfSecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdfNamTran825776
 
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...Security Gen
 
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdfSecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdfSecurityGen1
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...SecurityGen1
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...PositiveTechnologies
 
6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service ProvidersNETSCOUT
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSamantha Warren, MBA
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisationtyntec
 

Similar to SS7: the bad neighbor you're stuck with during the 5G migration and far beyond (20)

Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
 
7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdf
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGen
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
 
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdfSecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
 
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
 
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdfSecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
 
6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

  • 1. DURING THE 5G MIGRATION AND FAR BEYOND SS7: THE BAD NEIGHBOR YOU'RE STUCK WITH
  • 2. Speakers FEDERICO AURELI Technical Security Specialist Member of Expert and Delivery Team 15 years experience in Cybersecurity MILAN BŘEZINA Telecom and SMS fraud expert Gained Ph.D. Of Telecommunication in 2007 12 years experience of Messaging and Security
  • 3. Agenda  About us  Migration process  Statistics about your neighbour  Real examples (demo)  GDPR and our privacy  Our answer to migration
  • 4. Positive Technologies 18 years of experience in security development and research 200+ zero-day vulnerabilities discovered yearly Recognised global security driving force + others UK, London (Headquarters) Italy, Rome Czech Republic, Brno Russia, Moscow Brazil, Sao Paulo South Korea, Seoul Global presence
  • 5. Analytics and research Responsible disclosure — responsible attitude 2014 Signaling System 7 (SS7) security report 2014 Vulnerabilities of mobile Internet (GPRS) 2016 Primary security threats to SS7 cellular networks 2017 Threats to packet core security of 4G network 2017 Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2018 SS7 Vulnerabilities and Attack Exposure Report 2018 Diameter Vulnerabilities Exposure Report 2019 5G Security Issues 2020 SS7 network security analysis report 2020 Security assessment of Diameter networks 2020 Threat vector GTP
  • 6. Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Steal your money Get access to your email and social media Track your location Intercept your data, calls and SMS messages Take control of your digital identity From GSM to 5G Different Protocols Same Threats Perform massive denial of service attacks
  • 7. Realities: the question is not “will I be hacked or not” ... of SMS messages can be intercepted 9out of 10 of networks fail to prevent bypass of Firewall protections 67% ALL LTE networks are vulnerable to denial of service attacks hours average subscriber down-time after a DoS attack 3 …the question is “when it will happen and how painful will it be”
  • 8. Interconnect Partners & Internet EPC (NSA Option #3) Virtualized 5G Core (testbed) 5G RAN LTE Evolved Packet Core (EPC)
  • 9. Interconnect Partners & Internet Virtualized 5G Core EPC 5G RAN LTE 5G Core
  • 10. network 5G Roaming zoom-in AMF UPF Data SMF AUSF NSSF PCF NEF AF UDM Service based architecture 5G architecture — by Rajorshi Pathak VISITINGNETWORK SEPP SEPP NRF HOMENETWORK NEF PCF NRF AUSF UDM
  • 11. 5G Roaming zoom-in SEPP SEPPROAMING PARTNER HOME OPERATOR VISITING NETWORK HOME NETWORK Data network
  • 12. Evolution of mobile technologies Analogue 1980 1991 1999 2001 2005 2010 2017 1G 2G 2.5G+ 3G 3.5G 4G 5G SS7 GTP SIP 4.5G APIs Diameter 2019 Continual introduction of new use cases, change of importance to society
  • 14. 2017 2018 2019 Subscriber information disclosure 100% 100% 100% Subscriber location disclosure 75% 83% 87% Network information disclosure 63% 68% 87% SMS interception 89% 94% 86% Call interception 53% 50% 58% Fraud 78% 94% 100% Subscriber DoS 100% 94% 93% No security improvement
  • 18. Under 1 in 4 Firewalls were able to successfully secure the network 57% of SMS Rome Routing Platforms can be circumvented SS7 By-Pass Statistics
  • 19. Percentage of successful attacks aimed at disclosing a subscriber's location Subscriber location disclosure Vulnerabilities exposing IMSIs (percentage of successful attacks)
  • 20. Percentage of successful attacks aimed at disclosure of subscriber informationVulnerabilities exposing IMSIs (percentage of successful attacks) Subscriber information disclosure
  • 21. Percentage of successful attacks aimed at network information disclosureVulnerabilities allowing network information disclosure (percentage of successful attacks) Network information disclosure
  • 22. Subscriber DoS Percentage of DoS attacks that were successful
  • 24. COMPONENT PORTION — OPTIONALCOMPONENT PORTION — OPTIONAL Example: Double MAP attack STP SS7 FW MSC/VLR PBX TCAP Begin Data_REQ Data_REQ Inspect the first component only and forward the message to the network Send the message to the SS7 FW for inspection TCAP MESSAGE TYPE — MANDATORY TRANSACTION IDS — MANDATORY DIALOGUE PORTION — OPTIONAL COMPONENT 1 COMPONENT 2
  • 26. Percentage of successful call and SMS interception attempts The interception of SMS messages is one of the greatest threats facing mobile operators today. When this information is leaked, it can seriously damage an operator's reputation in the eyes of clients and lead to significant losses. Example: Interception of SMS
  • 28. GDPR as additional risk And this fact provides an opportunity for unscrupulous actors to take advantage… Could telecom operators be at additional risk? Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. Huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
  • 29.  Identification & Contact Information  Metadata Location Information  Metadata Traffic Information  Subscription Information  Financial & Content Information  Internal Identifier GDPR & Telecom Networks TELEPHONE NUMBER CELL ID, CELL TOWER LOCATION LIST OF SERVICES TO WHICH A CUSTOMER HAS SUBSCRIBED (PROFILE) SERVICE ID (NA OR MSISDN), DEVICE ID (EMEI, IMSI) IP ADDRESS, APN SMS & CALLS
  • 30. MNO/MVNO SIGNALING NETWORK 1. Attacker gathers any information possible from the target network 2. All information is used to create as big a database of information as possible from the target operator 3. Attackers informs target operator of breach, demanding a ransom to not expose stolen data 4. Operational and administrative overhead plus reputational damage as Customer Notification completed 5. If no monitoring solutions are in place to check claim, no choice but to inform GDPR regulator 6. Possible severe fine: €10M– €20M, or 2%– 4% of annual revenue Example how to exploit GDPR
  • 31. Detect Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation Respond Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process. Audit Auditing provides essential visibility to fully understand your ever-changing network risks. Audit Detect Respond Start your new mission today
  • 32. V V V NgFWFW/IPSIDS  Full solution, Full protection  IDS + FW modules (NgFW)  Bypass analysis  True Network visibility, continuously monitoring and advanced analytics.  Augments already existing FW investments if present  Optional FW/IPS module available by simple licnese upgrade from IDS installation or as standalone solution PT TAD: Full Protection Visibility
  • 33.
  • 34. ENISA estimates that only 30% of EU operators have implemented GSMA security guidelines GSMA COMPLIANCE CHECK The quickest way to ensure compliance with GSMA FS.11 FS.19 IR.82
  • 35. Recap  5G NSA SECURITY IS IMPOSSIBLE WITHOUT SIGNALLING LEVEL PROTECTION  CHALLENGING MIGRATION  TURN THE NEGATIVE STATISTICS  FULL SECURITY REQUIRES FULL VISIBILITY

Editor's Notes

  1. A: Welcome everyone. My name is Federico Aureli and I work in Positive Techologies since 2016. I‘m member of Expert and Delivery Team. Considering In pair everything goes better, today I‘m glad to be here with my colleague Milan. Ciao Milan. B: Ciao Fede. I agree with you. Let me introduce myself. Its been my seconds seasson in PT but I gained lot of experience of messaging and security in my previous life.  I hope I will learn something new today. So This is us -  indeed more can be found in our private Linked-In  accounts. A: Anyway we are proud we can work for this great company
  2. B: Here comes the agenda for today. Let me remind you any time you feel bored you might seek for any other fancy webinars on our PT – YouTube channel, from all I can recommend the one about 5G and calling Huston.  This my favourites one, english guy trying to convince people living in London to not destroy newly installed 5G antennas.  A: Good point for  everyone on this call, 5G antennas has nothing to do with Corona virus or Brexit – really ...
  3. B: A little about us. PT is a company which puts the research on the center of all its activities. This is our key differentiator all we get from research is further propagated into our product and services portfolio. A: Researching Vulnerabilities on different environments, from more standard ones like IT, Web Applications to more niches one like Telecom and IoT, Industrial, banking & payment systems. Active participation in regulator bodies such as GSMA.
  4. B: As you can see and I think we repeat this over and over, we are researcher, If you are interesting in any of our recpent papers, go and  visit our web positive-tech.com  A: If Iam not mistaken, this year we‘ve released SS7, Diamater and GTP papers B: You remember it correctly 
  5. A: Let‘s see at this picture about what an hacker can do using SS7 flaws. Consider that SS7 is used by over 800 global telecoms, it’s insecure because when it was created it has no security in its design and nowadays it can still be easily compromised by hackers** B: Looks like hackers can do almost everything, A: You are right, there is pretty large perimeter of what can be done through your SS7 neighbors but it‘s not only limited to SS7, the other signaling guys are vulnerable the same way.
  6. B: A scary slide I would say A: But this is the reality B: What takes 3 hours to recover the DoS ? A: We‘ll see this in next slides, but you know better than me that this is an average time based on our experience. Sometimes processes make the recover phase even more challenging
  7. B: let me once more touch 5G antennnas in UK, this was a first step of every MNO I know on the transformation way. They build up new radio and keep the exisitng EPC, but beside they probably already have virtuallized 5G core. A: So even with 5G RAN you still communicate on 4G or 3G to your roaming partner? B: Thats correct, you can aslo add IPX providers this is also a significant group A: I see
  8. A: but in case of 5G SA core the story changes and EPC is used for Partners and Internet B: Even LTE-only networks using the Diameter protocol instead of SS7 or even next-generation 5G networks must interconnect with previous-generation networks.  A: Yes, and for this reason all partners or emerging MNO using SS7 needs to be supported. This is the so-called fallback B: Or better backward compatibility A: What about roaming?
  9. A: This is the ideal world where everyone uses 5G B: Whats this? Better to simplified that.... A: Let‘s have a simplified zoom…click
  10. B: In the ideal world everyonce uses SEPP and that time we are happy and can go home. A: Sorry but since March I work constantly from home, did you forget Corona virus? B: aaa you right, anyway this is a nice vision – Every one is happy, but fallback or backward compability makes this more complicated A: Do you think that SEPP will take dacades to be adopted by all the roaming partners? B: Unfortunately I think so. SEPP will properly work only in case where both parties adopt 5G technology, so we‘ll need a lot of time before we‘ll see such communication scheme fully working.
  11. A: Before to talk about new network generations, let‘s have a look to the „G“ evolution B: sure, as you can see it started by SS7, its been almost 3 decades and SS7 is still worth to consider A: So we still need to count with SS7. Now let‘s see the market penetration of each technlogy, this might be interesting – next page
  12. B: I dindt expected this. SS7 (Signaling System No. 7) is a set of protocols governing the exchange of signaling messages on control plane.  A: The issue with SS7 is that it’s no longer isolated as it was when implemented: it can be accessed by both legitimate operators and by illegitimate attackers, which is stil true.  B: You could think that everything is going to finish with the progressive implementation of 5G, but it’s not true until at least 2025 SS7 will continue significant player. But I suppose its vulnerabilities have been mitigated during all this time…
  13. A: Can you see any significant progress within last 3 years? B: Progress maybe, but if significant hard to say A: As you can see, in our 2018 analysis of SS7 vulnerabilities, we noted gradual security improvements in SS7 networks.  B: Operators are still taking steps to improve security, but it seems they are doing without a systemic approach needed to compensate for those flaws.  A: You‘re right and so long as this remains the case, there will be gaps in security that can be exploited by attackers. Let’s have a look to Diameter…
  14. B: please don’t ask me whether I see any improvement. A: Don’t worry, I wont. As everyone see, The last two years have brought almost no improvement in the security of Diameter networks. All the tested networks were vulnerable to denial of service, which pose a direct threat even to IoT devices. B: Non Stand alone 5G means subscribers counting on the advantages of 5G, including improved security, are still susceptible to 4G threats. A: Do you know why we didn’t see the expected improvements? B: I can imagine. Something related to security feature implementation? A: Yes, but not only. These security features, even when installed and implemented, are not always correctly configured, which creates security gaps. Thus, the increased number of successful attacks in 2019 was due to both a general lack of traffic filtering and blocking systems as well as security gaps that allowed attackers to bypass these systems. In almost half of the networks studied, configuration errors in equipment at network boundaries allowed illegitimate requests to bypass. B: Exactly. Just as an example for our audience, SMS Home Routing, which is used to guarantee proper routing of terminating SMS messages, even if strictly speaking is not a security feature, its use does prevent some attacks aimed at disclosing subscriber information and operator network configurations. But if it’s not rightly implemented and maintained you can have a false sense of security…
  15. A: GTP protocol is more recent. As seen in the prevoius slide, it has been introduced in 2001 but it seems to suffer almost the same security issues… B: Yes, Fede, you‘re right. Based on our researches on the field, even GTP can be a threat vector. DoS and Fraud are still possible and the main flaw is that the user actual location is not checked and this is responsible for half of successful attacks A: Impressive. I suggest to our guests to visit Positive Technologies web site and download the full research: a lot of interesting stuff there.
  16. A: Need more? B: Only if you show me positive numbers A: All my numbers are positive....
  17. B: I see, positive numbers, i miss the year here? A: All the statistics w‘re going to show now are average numbers from our security assessments from years 2019 and 2018 B: Let me ask then a question, how many assessment we made last year? A: 76 security assessments B: not bad, this is then a representative sample A: Yes, and as you can see in these delicious donuts, only 25% percent of firewall and more than half SMS Home Routing Solutions were able to secure the network B: …impressive. So, it‘s not only important to have the right equipment, but it‘s important to configure it properly and maintain it up to date. This is really important
  18. A: In the past two years, the number of networks in which an attacker can track a subscriber's location has grown. SS7 filters can be bypassed due to config issue, outdate DB, etc B: Does this mean that Attackers can make changes in a subscriber's profile that allow them to receive information about the subscriber's location every time that subscriber makes a call? A: Yes,it does. The ability for attackers to track a subscriber's location is directly related to a fundamental flaw in SS7 architecture. In certain cases it is impossible to establish whether a subscriber is affiliated with the network from which a signaling message originated. B: And if I understand this correctly, to prevent attacks, it is essential that filtering is correctly configured on end-user equipment and at network boundaries. In addition, signaling messages must be constantly monitored and analysed. A: you learn quckly....and it‘s not all…
  19. B: yet another disclosure, I see A: Exactly. However, operators are well-informed about this problem and they’re taking protective measures to prevent the disclosure of this information. Most methods used to disclose IMSIs require signaling messages that should not ever come from external networks, so it is not particularly difficult to block such attacks. B: So , Generally, an attacker must know a subscriber's IMSI (International Mobile Subscriber Identity) as well as network equipment addresses in order to carry out an attack. A: Yes, it’s usually the first step for the majority of attacks. And it’s not the only interesting disclosure can happen. Let’s see another disclosure example
  20. B: Who cares about Network disclosure and why? A: In our study, the majority of successful attacks utilized the absence of signaling traffic filtering or bypassability of SMS Home Routing. B: This means, Information about network configuration is necessary for most attacks, which motivates attackers to seek out the addresses and functional roles of network equipment. A: exactly. In isolated cases, attackers having such information also succeeded in bypassing the filtering of specialized security features.
  21. B: My lovely DoS, for some reason these have my sympaty - Attacks are generally carried out via requests aimed at changing settings in a subscriber's profile. A: And it‘s not all…In some cases, restarting the subscriber's device is not enough to re-establish a connection—the subscriber has to actually change the network settings by hand or going to a different location in order to reconnect to another MSC.
  22. B: aaa Fraud, I was waiting whether you should me this or not A: Why not? Every network that we tested in 2019 exposed vulnerabilities that could be exploited in financially-motivated attacks targeting both telecom providers and their clients with money loss for both B: Enough numbers, give me example a show me more A: As you wish
  23. B: Can you imagine,someone gives you more than you expect? A: I can. Let‘s see this kind of attack, it‘s named double MAP. B: what is it exactly? A: The TCAP message is composed by several portions, some of them mandatory (click) and others just optional (click). The intruder craft a special message with two different operations inside to bypass security measures. B: How the equipments react to this? A: Imagine, as an example, the first operation is InsertSubscriberData without an identifier of subscriber. The second operation is DeleteSubscriberData with the target subscriber IMSI. The attacker sends this message to the target network (click). The STP receives the message and sends it (click) to the SS7 firewall that inspects the first component only, defines that it does not have an identifier, (click) and forwards to message to the destination node. As easy as to stole an ice cream to a child. B: So using this you fool STP as well as Firewall, excellent. A: Do you want to see this in reality? B: Yes, please
  24. A: Live demo are always challenging, so let’s pray for the God of demo to avoid something unexpected happens
  25. B: here I know this.... This is related to 2 Factor Authentication, am I right? A: Not necesarilly, but partialy you are right. In fact much more can be done with interception,you want to see an example? B: Yes please
  26. A: What about GDPR impacts of all this? B: Let’s have a look to the next slide - NEXT SLIDE -
  27. A: By this slide we open a really huge topic called GDPR. B: Looks like a variation of GPRS A: Something like this, it was not a common to build security by the law/design especially if you work in IoT industry B: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem A: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. B: And this fact provides an opportunity for unscrupulous actors to take advantage… A: Indeed, can you imagine huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
  28. B: Something like this. It defines, among others, the concept of „Security by design“. Everyone should implement infrastructure taking security in a very serious consideration. It was not a common to build security by the law/design especially if you were in IoT industry A: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem B: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. A: And this fact provides an opportunity for unscrupulous actors to take advantage. Furthermore, besides reputational loss, fines for violations are really huge: up to €20M or 4% of annual review.
  29. A: Here just a small list of the GROUPS AND THE ATTACKS THAT can be done B: We are aware of over 20 major personal data groups which all contain various quantities of individual data types. A: Maybe you want to ask for an example on how to exploit all of this? B: Fede, can you give me an example please? NEXT slide
  30. A: Let‘s describe a potential way A: 1, 3, 5 B: 2, 4, 6 B: So, is there any solution or better right apprach to minimaze the impact of all we‘ve spoken so far? A: Yes, here you are HOW A HACKER CAN DO IT C=GAIN LOST OF INFORMATION
  31. A: Telecom Operators should implement a virtuous circular process like the one shown in this slide B: Audit, Detect and Respond. BTW nice circle very similar to square A: What is important to underline is that this process is continuous and should not be done only once. B: Yes, the network changes constantly, evolves, new functions are added. The attack surface can change. For this reason this squared circle flow should be constant. A: …and our technology can help our Customers… NEXT SLIDE
  32. B: I always wanted to know how Lego‘s bricks stick together. A: I think all you need to know is that if you put them together they really stick B: But this slide is not about Lego it shows that 1+1 can be more than 2 if you combine right products NEXT SLIDE
  33. A: You are totally right, alone with IDS or IPS you never get such a comprehensive view of your network and significant advantage to combat against incoming threats. Our Firewall combined with our best-in-class intelligence has been recognized as top-tier signaling technology for the second year in a row. B: It’s absolutely great!! So 1+1 it’s equal 3 in this case. But what if also due to Corona virus can‘t invest, can I get something let say for FREE? A: For Free? You know what? Yes you can get our GSMA free of charge compliance check of your SS7 signaling network. B: really? But what’s the difference between paid and free service? NEXT SLIDE
  34. A: As you can see up to 75 test cases will be used for our GSMA Compliance Check B: Very interesting, but what about if I don't want to touch my running configuration A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way B: Amazing what about report?
  35. A: This is the final stage where we deliver the report to you. B: I see I can get a lot of information. Which are the sources you refer to run these checks?
  36. A: Our Compliance check is based on GSMA guidelines and it’s composed by up to 75 tests. B: Great to know. ENISA estimates only 30% of EU operators have implemented such security guidelines. Very interesting, but what about if I don't want to touch my running configuration A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way B: And if I need more? A: If you need more, you can ask for further services like our Telecom Security Audit where our experts perform deeper checks and also bypass techniques are tried. B: I heard about it, it‘s very useful to dig deeper on my signaling network and have a full picture of my security posture
  37. B: We almost are running out the time , so let’s recap we have learnt from this call B: Don’t forget that 5G NSA it uses previous generation backend A: Exactly for this reason, migration to 5G might be very challenging and SS7/Diameter vulnerabilities can‘t be forgotten B: We need to push MNOs to turn the negative trend. Security features must be always keep updated and well configured A: Privacy always first. Regulations are going to be strict and users requires it always more B: and Full visibility is the must these days...with PT TAD it’s easier than has ever been, Ill pauze here
  38. and this is all from me and Federico, now its your turn, you can ask your questions. BTW: if you liked our webinar, let it know to your friends, if not, tell it to us