SlideShare a Scribd company logo

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

Download as PPTX, PDF
P
PositiveTechnologies

For the past decades, SS7 protocol has been our closest neighbor to support the roaming infrastructure. However, with untrusted agents exploiting this protocol and the migration to 5G, many operators are at risk of security data breaches and the inability to switch to 5G secure infrastructure fast. Especially now, when major cybersecurity organizations (ENISA) include signaling security in their 5G networks threat landscape, SS7 protocol has to come into the spotlight during the design stage. Our live webinar, hosted by our telecom experts Federico Aureli, Technical Security Specialist, and Milan Brezina, Telecom and SMS fraud expert, reveals the trending topics in SS7 security and explains: - Why SS7 will stay a long time even in the era of 5G - Why mobile operators should take into account SS7 weaknesses - What SS7 protocol real-life fraud cases exist Follow us on LinkedIn to keep up with our upcoming webinars and events: https://www.linkedin.com/company/positive-tech

Technology
1 of 36
DURING THE 5G MIGRATION AND FAR BEYOND SS7: THE BAD NEIGHBOR YOU'RE STUCK WITH
Speakers FEDERICO AURELI Technical Security Specialist Member of Expert and Delivery Team 15 years experience in Cybersecurity MILAN BŘEZINA Telecom and SMS fraud expert Gained Ph.D. Of Telecommunication in 2007 12 years experience of Messaging and Security
Agenda  About us  Migration process  Statistics about your neighbour  Real examples (demo)  GDPR and our privacy  Our answer to migration
Positive Technologies 18 years of experience in security development and research 200+ zero-day vulnerabilities discovered yearly Recognised global security driving force + others UK, London (Headquarters) Italy, Rome Czech Republic, Brno Russia, Moscow Brazil, Sao Paulo South Korea, Seoul Global presence
Analytics and research Responsible disclosure — responsible attitude 2014 Signaling System 7 (SS7) security report 2014 Vulnerabilities of mobile Internet (GPRS) 2016 Primary security threats to SS7 cellular networks 2017 Threats to packet core security of 4G network 2017 Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2018 SS7 Vulnerabilities and Attack Exposure Report 2018 Diameter Vulnerabilities Exposure Report 2019 5G Security Issues 2020 SS7 network security analysis report 2020 Security assessment of Diameter networks 2020 Threat vector GTP
Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Steal your money Get access to your email and social media Track your location Intercept your data, calls and SMS messages Take control of your digital identity From GSM to 5G Different Protocols Same Threats Perform massive denial of service attacks
Realities: the question is not “will I be hacked or not” ... of SMS messages can be intercepted 9out of 10 of networks fail to prevent bypass of Firewall protections 67% ALL LTE networks are vulnerable to denial of service attacks hours average subscriber down-time after a DoS attack 3 …the question is “when it will happen and how painful will it be”
Interconnect Partners & Internet EPC (NSA Option #3) Virtualized 5G Core (testbed) 5G RAN LTE Evolved Packet Core (EPC)
Interconnect Partners & Internet Virtualized 5G Core EPC 5G RAN LTE 5G Core
network 5G Roaming zoom-in AMF UPF Data SMF AUSF NSSF PCF NEF AF UDM Service based architecture 5G architecture — by Rajorshi Pathak VISITINGNETWORK SEPP SEPP NRF HOMENETWORK NEF PCF NRF AUSF UDM
5G Roaming zoom-in SEPP SEPPROAMING PARTNER HOME OPERATOR VISITING NETWORK HOME NETWORK Data network
Evolution of mobile technologies Analogue 1980 1991 1999 2001 2005 2010 2017 1G 2G 2.5G+ 3G 3.5G 4G 5G SS7 GTP SIP 4.5G APIs Diameter 2019 Continual introduction of new use cases, change of importance to society
Source: https://www.gsma.com/wp- content/uploads/2019/04/The-5G- Guide_GSMA_2019_04_29_compressed.pdf Market Share
2017 2018 2019 Subscriber information disclosure 100% 100% 100% Subscriber location disclosure 75% 83% 87% Network information disclosure 63% 68% 87% SMS interception 89% 94% 86% Call interception 53% 50% 58% Fraud 78% 94% 100% Subscriber DoS 100% 94% 93% No security improvement
Threats on Diameter
Threats on GTP
MORE? NEED
Under 1 in 4 Firewalls were able to successfully secure the network 57% of SMS Rome Routing Platforms can be circumvented SS7 By-Pass Statistics
Percentage of successful attacks aimed at disclosing a subscriber's location Subscriber location disclosure Vulnerabilities exposing IMSIs (percentage of successful attacks)
Percentage of successful attacks aimed at disclosure of subscriber informationVulnerabilities exposing IMSIs (percentage of successful attacks) Subscriber information disclosure
Percentage of successful attacks aimed at network information disclosureVulnerabilities allowing network information disclosure (percentage of successful attacks) Network information disclosure
Subscriber DoS Percentage of DoS attacks that were successful
Frauds Percentage of successful fraud attempts
COMPONENT PORTION — OPTIONALCOMPONENT PORTION — OPTIONAL Example: Double MAP attack STP SS7 FW MSC/VLR PBX TCAP Begin Data_REQ Data_REQ Inspect the first component only and forward the message to the network Send the message to the SS7 FW for inspection TCAP MESSAGE TYPE — MANDATORY TRANSACTION IDS — MANDATORY DIALOGUE PORTION — OPTIONAL COMPONENT 1 COMPONENT 2
Double MAP attack TAD Demo on Double Map
Percentage of successful call and SMS interception attempts The interception of SMS messages is one of the greatest threats facing mobile operators today. When this information is leaked, it can seriously damage an operator's reputation in the eyes of clients and lead to significant losses. Example: Interception of SMS
Interception of SMS TAD Demo on SMS
GDPR as additional risk And this fact provides an opportunity for unscrupulous actors to take advantage… Could telecom operators be at additional risk? Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. Huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
 Identification & Contact Information  Metadata Location Information  Metadata Traffic Information  Subscription Information  Financial & Content Information  Internal Identifier GDPR & Telecom Networks TELEPHONE NUMBER CELL ID, CELL TOWER LOCATION LIST OF SERVICES TO WHICH A CUSTOMER HAS SUBSCRIBED (PROFILE) SERVICE ID (NA OR MSISDN), DEVICE ID (EMEI, IMSI) IP ADDRESS, APN SMS & CALLS
MNO/MVNO SIGNALING NETWORK 1. Attacker gathers any information possible from the target network 2. All information is used to create as big a database of information as possible from the target operator 3. Attackers informs target operator of breach, demanding a ransom to not expose stolen data 4. Operational and administrative overhead plus reputational damage as Customer Notification completed 5. If no monitoring solutions are in place to check claim, no choice but to inform GDPR regulator 6. Possible severe fine: €10M– €20M, or 2%– 4% of annual revenue Example how to exploit GDPR
Detect Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation Respond Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process. Audit Auditing provides essential visibility to fully understand your ever-changing network risks. Audit Detect Respond Start your new mission today
V V V NgFWFW/IPSIDS  Full solution, Full protection  IDS + FW modules (NgFW)  Bypass analysis  True Network visibility, continuously monitoring and advanced analytics.  Augments already existing FW investments if present  Optional FW/IPS module available by simple licnese upgrade from IDS installation or as standalone solution PT TAD: Full Protection Visibility
ENISA estimates that only 30% of EU operators have implemented GSMA security guidelines GSMA COMPLIANCE CHECK The quickest way to ensure compliance with GSMA FS.11 FS.19 IR.82
Recap  5G NSA SECURITY IS IMPOSSIBLE WITHOUT SIGNALLING LEVEL PROTECTION  CHALLENGING MIGRATION  TURN THE NEGATIVE STATISTICS  FULL SECURITY REQUIRES FULL VISIBILITY
@positive-tech Positive Technologies THANK YOU contact@positive-tech.com positive-tech.com

Recommended

SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case study
PositiveTechnologies
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 

Recommended

SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case study
PositiveTechnologies
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
PositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
Satish Chavan
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
Call flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flowCall flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flow
Ericsson Saudi
 
What is a User Equipment (UE)?
What is a User Equipment (UE)?What is a User Equipment (UE)?
What is a User Equipment (UE)?
3G4G
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
3G4G
 
7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
kkvences
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdf
SecurityGen1
 

More Related Content

What's hot

Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
PositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
Satish Chavan
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
Call flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flowCall flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flow
Ericsson Saudi
 
What is a User Equipment (UE)?
What is a User Equipment (UE)?What is a User Equipment (UE)?
What is a User Equipment (UE)?
3G4G
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
3G4G
 

What's hot (20)

Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
Call flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flowCall flow oma000003 gsm communication flow
Call flow oma000003 gsm communication flow
 
What is a User Equipment (UE)?
What is a User Equipment (UE)?What is a User Equipment (UE)?
What is a User Equipment (UE)?
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 

Similar to SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
kkvences
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdf
SecurityGen1
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGen
SecurityGen1
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
SecurityGen1
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
PositiveTechnologies
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
Team Finland Future Watch
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
Entersoft Security
 
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdfSecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen1
 
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdfSecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
NamTran825776
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
SecurityGen1
 
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
Security Gen
 
6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers
NETSCOUT
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
tyntec
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
Samantha Warren, MBA
 
Cataleya-Security-Feature_SAWC_April2016page-20-23
Cataleya-Security-Feature_SAWC_April2016page-20-23Cataleya-Security-Feature_SAWC_April2016page-20-23
Cataleya-Security-Feature_SAWC_April2016page-20-23
Jacqueline Fick
 
2014 march falcon business fraud classification model (3attendees)
2014 march falcon business fraud classification model (3attendees)2014 march falcon business fraud classification model (3attendees)
2014 march falcon business fraud classification model (3attendees)
jcsobreira
 
Why the VoLTE Rush?
Why the VoLTE Rush?Why the VoLTE Rush?
Why the VoLTE Rush?
Security Gen
 
Enterprise endpoint security_market
Enterprise endpoint security_marketEnterprise endpoint security_market
Enterprise endpoint security_market
pallavi_1234
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
NetMotion Wireless
 

Similar to SS7: the bad neighbor you're stuck with during the 5G migration and far beyond (20)

7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdf
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGen
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
 
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdfSecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
SecurityGen Sentinel - Your User-Friendly Guardian in Telecom Security.pdf
 
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdfSecurityGen-whitepaper-gtp-firewall- security 5G.pdf
SecurityGen-whitepaper-gtp-firewall- security 5G.pdf
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
 
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
SecurityGen whitepaper GTP vulnerabilities - A cause for concern in 5G and LT...
 
6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers6 Key Findings Security Findings for Service Providers
6 Key Findings Security Findings for Service Providers
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
 
Secure Networks Key to A2P Monetisation
Secure Networks Key to A2P MonetisationSecure Networks Key to A2P Monetisation
Secure Networks Key to A2P Monetisation
 
Cataleya-Security-Feature_SAWC_April2016page-20-23
Cataleya-Security-Feature_SAWC_April2016page-20-23Cataleya-Security-Feature_SAWC_April2016page-20-23
Cataleya-Security-Feature_SAWC_April2016page-20-23
 
2014 march falcon business fraud classification model (3attendees)
2014 march falcon business fraud classification model (3attendees)2014 march falcon business fraud classification model (3attendees)
2014 march falcon business fraud classification model (3attendees)
 
Why the VoLTE Rush?
Why the VoLTE Rush?Why the VoLTE Rush?
Why the VoLTE Rush?
 
Enterprise endpoint security_market
Enterprise endpoint security_marketEnterprise endpoint security_market
Enterprise endpoint security_market
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
 

Recently uploaded

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 

Recently uploaded (20)

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 

SS7: the bad neighbor you're stuck with during the 5G migration and far beyond

  • 1. DURING THE 5G MIGRATION AND FAR BEYOND SS7: THE BAD NEIGHBOR YOU'RE STUCK WITH
  • 2. Speakers FEDERICO AURELI Technical Security Specialist Member of Expert and Delivery Team 15 years experience in Cybersecurity MILAN BŘEZINA Telecom and SMS fraud expert Gained Ph.D. Of Telecommunication in 2007 12 years experience of Messaging and Security
  • 3. Agenda  About us  Migration process  Statistics about your neighbour  Real examples (demo)  GDPR and our privacy  Our answer to migration
  • 4. Positive Technologies 18 years of experience in security development and research 200+ zero-day vulnerabilities discovered yearly Recognised global security driving force + others UK, London (Headquarters) Italy, Rome Czech Republic, Brno Russia, Moscow Brazil, Sao Paulo South Korea, Seoul Global presence
  • 5. Analytics and research Responsible disclosure — responsible attitude 2014 Signaling System 7 (SS7) security report 2014 Vulnerabilities of mobile Internet (GPRS) 2016 Primary security threats to SS7 cellular networks 2017 Threats to packet core security of 4G network 2017 Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2018 SS7 Vulnerabilities and Attack Exposure Report 2018 Diameter Vulnerabilities Exposure Report 2019 5G Security Issues 2020 SS7 network security analysis report 2020 Security assessment of Diameter networks 2020 Threat vector GTP
  • 6. Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Steal your money Get access to your email and social media Track your location Intercept your data, calls and SMS messages Take control of your digital identity From GSM to 5G Different Protocols Same Threats Perform massive denial of service attacks
  • 7. Realities: the question is not “will I be hacked or not” ... of SMS messages can be intercepted 9out of 10 of networks fail to prevent bypass of Firewall protections 67% ALL LTE networks are vulnerable to denial of service attacks hours average subscriber down-time after a DoS attack 3 …the question is “when it will happen and how painful will it be”
  • 8. Interconnect Partners & Internet EPC (NSA Option #3) Virtualized 5G Core (testbed) 5G RAN LTE Evolved Packet Core (EPC)
  • 9. Interconnect Partners & Internet Virtualized 5G Core EPC 5G RAN LTE 5G Core
  • 10. network 5G Roaming zoom-in AMF UPF Data SMF AUSF NSSF PCF NEF AF UDM Service based architecture 5G architecture — by Rajorshi Pathak VISITINGNETWORK SEPP SEPP NRF HOMENETWORK NEF PCF NRF AUSF UDM
  • 11. 5G Roaming zoom-in SEPP SEPPROAMING PARTNER HOME OPERATOR VISITING NETWORK HOME NETWORK Data network
  • 12. Evolution of mobile technologies Analogue 1980 1991 1999 2001 2005 2010 2017 1G 2G 2.5G+ 3G 3.5G 4G 5G SS7 GTP SIP 4.5G APIs Diameter 2019 Continual introduction of new use cases, change of importance to society
  • 14. 2017 2018 2019 Subscriber information disclosure 100% 100% 100% Subscriber location disclosure 75% 83% 87% Network information disclosure 63% 68% 87% SMS interception 89% 94% 86% Call interception 53% 50% 58% Fraud 78% 94% 100% Subscriber DoS 100% 94% 93% No security improvement
  • 18. Under 1 in 4 Firewalls were able to successfully secure the network 57% of SMS Rome Routing Platforms can be circumvented SS7 By-Pass Statistics
  • 19. Percentage of successful attacks aimed at disclosing a subscriber's location Subscriber location disclosure Vulnerabilities exposing IMSIs (percentage of successful attacks)
  • 20. Percentage of successful attacks aimed at disclosure of subscriber informationVulnerabilities exposing IMSIs (percentage of successful attacks) Subscriber information disclosure
  • 21. Percentage of successful attacks aimed at network information disclosureVulnerabilities allowing network information disclosure (percentage of successful attacks) Network information disclosure
  • 22. Subscriber DoS Percentage of DoS attacks that were successful
  • 24. COMPONENT PORTION — OPTIONALCOMPONENT PORTION — OPTIONAL Example: Double MAP attack STP SS7 FW MSC/VLR PBX TCAP Begin Data_REQ Data_REQ Inspect the first component only and forward the message to the network Send the message to the SS7 FW for inspection TCAP MESSAGE TYPE — MANDATORY TRANSACTION IDS — MANDATORY DIALOGUE PORTION — OPTIONAL COMPONENT 1 COMPONENT 2
  • 26. Percentage of successful call and SMS interception attempts The interception of SMS messages is one of the greatest threats facing mobile operators today. When this information is leaked, it can seriously damage an operator's reputation in the eyes of clients and lead to significant losses. Example: Interception of SMS
  • 28. GDPR as additional risk And this fact provides an opportunity for unscrupulous actors to take advantage… Could telecom operators be at additional risk? Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. Huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
  • 29.  Identification & Contact Information  Metadata Location Information  Metadata Traffic Information  Subscription Information  Financial & Content Information  Internal Identifier GDPR & Telecom Networks TELEPHONE NUMBER CELL ID, CELL TOWER LOCATION LIST OF SERVICES TO WHICH A CUSTOMER HAS SUBSCRIBED (PROFILE) SERVICE ID (NA OR MSISDN), DEVICE ID (EMEI, IMSI) IP ADDRESS, APN SMS & CALLS
  • 30. MNO/MVNO SIGNALING NETWORK 1. Attacker gathers any information possible from the target network 2. All information is used to create as big a database of information as possible from the target operator 3. Attackers informs target operator of breach, demanding a ransom to not expose stolen data 4. Operational and administrative overhead plus reputational damage as Customer Notification completed 5. If no monitoring solutions are in place to check claim, no choice but to inform GDPR regulator 6. Possible severe fine: €10M– €20M, or 2%– 4% of annual revenue Example how to exploit GDPR
  • 31. Detect Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation Respond Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process. Audit Auditing provides essential visibility to fully understand your ever-changing network risks. Audit Detect Respond Start your new mission today
  • 32. V V V NgFWFW/IPSIDS  Full solution, Full protection  IDS + FW modules (NgFW)  Bypass analysis  True Network visibility, continuously monitoring and advanced analytics.  Augments already existing FW investments if present  Optional FW/IPS module available by simple licnese upgrade from IDS installation or as standalone solution PT TAD: Full Protection Visibility
  • 33.
  • 34. ENISA estimates that only 30% of EU operators have implemented GSMA security guidelines GSMA COMPLIANCE CHECK The quickest way to ensure compliance with GSMA FS.11 FS.19 IR.82
  • 35. Recap  5G NSA SECURITY IS IMPOSSIBLE WITHOUT SIGNALLING LEVEL PROTECTION  CHALLENGING MIGRATION  TURN THE NEGATIVE STATISTICS  FULL SECURITY REQUIRES FULL VISIBILITY

Editor's Notes

  1. A: Welcome everyone. My name is Federico Aureli and I work in Positive Techologies since 2016. I‘m member of Expert and Delivery Team. Considering In pair everything goes better, today I‘m glad to be here with my colleague Milan. Ciao Milan. B: Ciao Fede. I agree with you. Let me introduce myself. Its been my seconds seasson in PT but I gained lot of experience of messaging and security in my previous life.  I hope I will learn something new today. So This is us -  indeed more can be found in our private Linked-In  accounts. A: Anyway we are proud we can work for this great company
  2. B: Here comes the agenda for today. Let me remind you any time you feel bored you might seek for any other fancy webinars on our PT – YouTube channel, from all I can recommend the one about 5G and calling Huston.  This my favourites one, english guy trying to convince people living in London to not destroy newly installed 5G antennas.  A: Good point for  everyone on this call, 5G antennas has nothing to do with Corona virus or Brexit – really ...
  3. B: A little about us. PT is a company which puts the research on the center of all its activities. This is our key differentiator all we get from research is further propagated into our product and services portfolio. A: Researching Vulnerabilities on different environments, from more standard ones like IT, Web Applications to more niches one like Telecom and IoT, Industrial, banking & payment systems. Active participation in regulator bodies such as GSMA.
  4. B: As you can see and I think we repeat this over and over, we are researcher, If you are interesting in any of our recpent papers, go and  visit our web positive-tech.com  A: If Iam not mistaken, this year we‘ve released SS7, Diamater and GTP papers B: You remember it correctly 
  5. A: Let‘s see at this picture about what an hacker can do using SS7 flaws. Consider that SS7 is used by over 800 global telecoms, it’s insecure because when it was created it has no security in its design and nowadays it can still be easily compromised by hackers** B: Looks like hackers can do almost everything, A: You are right, there is pretty large perimeter of what can be done through your SS7 neighbors but it‘s not only limited to SS7, the other signaling guys are vulnerable the same way.
  6. B: A scary slide I would say A: But this is the reality B: What takes 3 hours to recover the DoS ? A: We‘ll see this in next slides, but you know better than me that this is an average time based on our experience. Sometimes processes make the recover phase even more challenging
  7. B: let me once more touch 5G antennnas in UK, this was a first step of every MNO I know on the transformation way. They build up new radio and keep the exisitng EPC, but beside they probably already have virtuallized 5G core. A: So even with 5G RAN you still communicate on 4G or 3G to your roaming partner? B: Thats correct, you can aslo add IPX providers this is also a significant group A: I see
  8. A: but in case of 5G SA core the story changes and EPC is used for Partners and Internet B: Even LTE-only networks using the Diameter protocol instead of SS7 or even next-generation 5G networks must interconnect with previous-generation networks.  A: Yes, and for this reason all partners or emerging MNO using SS7 needs to be supported. This is the so-called fallback B: Or better backward compatibility A: What about roaming?
  9. A: This is the ideal world where everyone uses 5G B: Whats this? Better to simplified that.... A: Let‘s have a simplified zoom…click
  10. B: In the ideal world everyonce uses SEPP and that time we are happy and can go home. A: Sorry but since March I work constantly from home, did you forget Corona virus? B: aaa you right, anyway this is a nice vision – Every one is happy, but fallback or backward compability makes this more complicated A: Do you think that SEPP will take dacades to be adopted by all the roaming partners? B: Unfortunately I think so. SEPP will properly work only in case where both parties adopt 5G technology, so we‘ll need a lot of time before we‘ll see such communication scheme fully working.
  11. A: Before to talk about new network generations, let‘s have a look to the „G“ evolution B: sure, as you can see it started by SS7, its been almost 3 decades and SS7 is still worth to consider A: So we still need to count with SS7. Now let‘s see the market penetration of each technlogy, this might be interesting – next page
  12. B: I dindt expected this. SS7 (Signaling System No. 7) is a set of protocols governing the exchange of signaling messages on control plane.  A: The issue with SS7 is that it’s no longer isolated as it was when implemented: it can be accessed by both legitimate operators and by illegitimate attackers, which is stil true.  B: You could think that everything is going to finish with the progressive implementation of 5G, but it’s not true until at least 2025 SS7 will continue significant player. But I suppose its vulnerabilities have been mitigated during all this time…
  13. A: Can you see any significant progress within last 3 years? B: Progress maybe, but if significant hard to say A: As you can see, in our 2018 analysis of SS7 vulnerabilities, we noted gradual security improvements in SS7 networks.  B: Operators are still taking steps to improve security, but it seems they are doing without a systemic approach needed to compensate for those flaws.  A: You‘re right and so long as this remains the case, there will be gaps in security that can be exploited by attackers. Let’s have a look to Diameter…
  14. B: please don’t ask me whether I see any improvement. A: Don’t worry, I wont. As everyone see, The last two years have brought almost no improvement in the security of Diameter networks. All the tested networks were vulnerable to denial of service, which pose a direct threat even to IoT devices. B: Non Stand alone 5G means subscribers counting on the advantages of 5G, including improved security, are still susceptible to 4G threats. A: Do you know why we didn’t see the expected improvements? B: I can imagine. Something related to security feature implementation? A: Yes, but not only. These security features, even when installed and implemented, are not always correctly configured, which creates security gaps. Thus, the increased number of successful attacks in 2019 was due to both a general lack of traffic filtering and blocking systems as well as security gaps that allowed attackers to bypass these systems. In almost half of the networks studied, configuration errors in equipment at network boundaries allowed illegitimate requests to bypass. B: Exactly. Just as an example for our audience, SMS Home Routing, which is used to guarantee proper routing of terminating SMS messages, even if strictly speaking is not a security feature, its use does prevent some attacks aimed at disclosing subscriber information and operator network configurations. But if it’s not rightly implemented and maintained you can have a false sense of security…
  15. A: GTP protocol is more recent. As seen in the prevoius slide, it has been introduced in 2001 but it seems to suffer almost the same security issues… B: Yes, Fede, you‘re right. Based on our researches on the field, even GTP can be a threat vector. DoS and Fraud are still possible and the main flaw is that the user actual location is not checked and this is responsible for half of successful attacks A: Impressive. I suggest to our guests to visit Positive Technologies web site and download the full research: a lot of interesting stuff there.
  16. A: Need more? B: Only if you show me positive numbers A: All my numbers are positive....
  17. B: I see, positive numbers, i miss the year here? A: All the statistics w‘re going to show now are average numbers from our security assessments from years 2019 and 2018 B: Let me ask then a question, how many assessment we made last year? A: 76 security assessments B: not bad, this is then a representative sample A: Yes, and as you can see in these delicious donuts, only 25% percent of firewall and more than half SMS Home Routing Solutions were able to secure the network B: …impressive. So, it‘s not only important to have the right equipment, but it‘s important to configure it properly and maintain it up to date. This is really important
  18. A: In the past two years, the number of networks in which an attacker can track a subscriber's location has grown. SS7 filters can be bypassed due to config issue, outdate DB, etc B: Does this mean that Attackers can make changes in a subscriber's profile that allow them to receive information about the subscriber's location every time that subscriber makes a call? A: Yes,it does. The ability for attackers to track a subscriber's location is directly related to a fundamental flaw in SS7 architecture. In certain cases it is impossible to establish whether a subscriber is affiliated with the network from which a signaling message originated. B: And if I understand this correctly, to prevent attacks, it is essential that filtering is correctly configured on end-user equipment and at network boundaries. In addition, signaling messages must be constantly monitored and analysed. A: you learn quckly....and it‘s not all…
  19. B: yet another disclosure, I see A: Exactly. However, operators are well-informed about this problem and they’re taking protective measures to prevent the disclosure of this information. Most methods used to disclose IMSIs require signaling messages that should not ever come from external networks, so it is not particularly difficult to block such attacks. B: So , Generally, an attacker must know a subscriber's IMSI (International Mobile Subscriber Identity) as well as network equipment addresses in order to carry out an attack. A: Yes, it’s usually the first step for the majority of attacks. And it’s not the only interesting disclosure can happen. Let’s see another disclosure example
  20. B: Who cares about Network disclosure and why? A: In our study, the majority of successful attacks utilized the absence of signaling traffic filtering or bypassability of SMS Home Routing. B: This means, Information about network configuration is necessary for most attacks, which motivates attackers to seek out the addresses and functional roles of network equipment. A: exactly. In isolated cases, attackers having such information also succeeded in bypassing the filtering of specialized security features.
  21. B: My lovely DoS, for some reason these have my sympaty - Attacks are generally carried out via requests aimed at changing settings in a subscriber's profile. A: And it‘s not all…In some cases, restarting the subscriber's device is not enough to re-establish a connection—the subscriber has to actually change the network settings by hand or going to a different location in order to reconnect to another MSC.
  22. B: aaa Fraud, I was waiting whether you should me this or not A: Why not? Every network that we tested in 2019 exposed vulnerabilities that could be exploited in financially-motivated attacks targeting both telecom providers and their clients with money loss for both B: Enough numbers, give me example a show me more A: As you wish
  23. B: Can you imagine,someone gives you more than you expect? A: I can. Let‘s see this kind of attack, it‘s named double MAP. B: what is it exactly? A: The TCAP message is composed by several portions, some of them mandatory (click) and others just optional (click). The intruder craft a special message with two different operations inside to bypass security measures. B: How the equipments react to this? A: Imagine, as an example, the first operation is InsertSubscriberData without an identifier of subscriber. The second operation is DeleteSubscriberData with the target subscriber IMSI. The attacker sends this message to the target network (click). The STP receives the message and sends it (click) to the SS7 firewall that inspects the first component only, defines that it does not have an identifier, (click) and forwards to message to the destination node. As easy as to stole an ice cream to a child. B: So using this you fool STP as well as Firewall, excellent. A: Do you want to see this in reality? B: Yes, please
  24. A: Live demo are always challenging, so let’s pray for the God of demo to avoid something unexpected happens
  25. B: here I know this.... This is related to 2 Factor Authentication, am I right? A: Not necesarilly, but partialy you are right. In fact much more can be done with interception,you want to see an example? B: Yes please
  26. A: What about GDPR impacts of all this? B: Let’s have a look to the next slide - NEXT SLIDE -
  27. A: By this slide we open a really huge topic called GDPR. B: Looks like a variation of GPRS A: Something like this, it was not a common to build security by the law/design especially if you work in IoT industry B: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem A: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. B: And this fact provides an opportunity for unscrupulous actors to take advantage… A: Indeed, can you imagine huge fines: €10M–€20M, or 2%–4% of annual revenue, whichever is greater.
  28. B: Something like this. It defines, among others, the concept of „Security by design“. Everyone should implement infrastructure taking security in a very serious consideration. It was not a common to build security by the law/design especially if you were in IoT industry A: But I guess the time is here, am I right? If I look at issues connected to SIM SWAP, FRAUD, stolen identity ... This becomes a serous problem B: Beyond internal data safeguards, information obtainable via unprotected telecom networks could also constitute a breach. A: And this fact provides an opportunity for unscrupulous actors to take advantage. Furthermore, besides reputational loss, fines for violations are really huge: up to €20M or 4% of annual review.
  29. A: Here just a small list of the GROUPS AND THE ATTACKS THAT can be done B: We are aware of over 20 major personal data groups which all contain various quantities of individual data types. A: Maybe you want to ask for an example on how to exploit all of this? B: Fede, can you give me an example please? NEXT slide
  30. A: Let‘s describe a potential way A: 1, 3, 5 B: 2, 4, 6 B: So, is there any solution or better right apprach to minimaze the impact of all we‘ve spoken so far? A: Yes, here you are HOW A HACKER CAN DO IT C=GAIN LOST OF INFORMATION
  31. A: Telecom Operators should implement a virtuous circular process like the one shown in this slide B: Audit, Detect and Respond. BTW nice circle very similar to square A: What is important to underline is that this process is continuous and should not be done only once. B: Yes, the network changes constantly, evolves, new functions are added. The attack surface can change. For this reason this squared circle flow should be constant. A: …and our technology can help our Customers… NEXT SLIDE
  32. B: I always wanted to know how Lego‘s bricks stick together. A: I think all you need to know is that if you put them together they really stick B: But this slide is not about Lego it shows that 1+1 can be more than 2 if you combine right products NEXT SLIDE
  33. A: You are totally right, alone with IDS or IPS you never get such a comprehensive view of your network and significant advantage to combat against incoming threats. Our Firewall combined with our best-in-class intelligence has been recognized as top-tier signaling technology for the second year in a row. B: It’s absolutely great!! So 1+1 it’s equal 3 in this case. But what if also due to Corona virus can‘t invest, can I get something let say for FREE? A: For Free? You know what? Yes you can get our GSMA free of charge compliance check of your SS7 signaling network. B: really? But what’s the difference between paid and free service? NEXT SLIDE
  34. A: As you can see up to 75 test cases will be used for our GSMA Compliance Check B: Very interesting, but what about if I don't want to touch my running configuration A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way B: Amazing what about report?
  35. A: This is the final stage where we deliver the report to you. B: I see I can get a lot of information. Which are the sources you refer to run these checks?
  36. A: Our Compliance check is based on GSMA guidelines and it’s composed by up to 75 tests. B: Great to know. ENISA estimates only 30% of EU operators have implemented such security guidelines. Very interesting, but what about if I don't want to touch my running configuration A: You don't need to do, everything is done remotely just to check real life scenarios in the safest possible way B: And if I need more? A: If you need more, you can ask for further services like our Telecom Security Audit where our experts perform deeper checks and also bypass techniques are tried. B: I heard about it, it‘s very useful to dig deeper on my signaling network and have a full picture of my security posture
  37. B: We almost are running out the time , so let’s recap we have learnt from this call B: Don’t forget that 5G NSA it uses previous generation backend A: Exactly for this reason, migration to 5G might be very challenging and SS7/Diameter vulnerabilities can‘t be forgotten B: We need to push MNOs to turn the negative trend. Security features must be always keep updated and well configured A: Privacy always first. Regulations are going to be strict and users requires it always more B: and Full visibility is the must these days...with PT TAD it’s easier than has ever been, Ill pauze here
  38. and this is all from me and Federico, now its your turn, you can ask your questions. BTW: if you liked our webinar, let it know to your friends, if not, tell it to us