Our friends at Xura sent over a compilation of security studies that are always a fun read. (That is, if you define “fun” like a roller coaster that occasionally has to be shut down for repairs and investigations.) The study by Positive Technologies is a year old but the problem is an ongoing one for the industry.
Here is the primary issue in a nutshell: The SS7 was designed at a time when computers were rare and circuit routing needed to be set up dynamically on the network. In effect, Signaling System Seven, was designed to reserve pathways on the public switched network. If you got a fast busy signal, that meant you had blockage in the network. If you got a slow (regular) busy signal, it meant the other person was on their phone already and you would have to ask for another path at another time.
Now on the Internet, reservations are pretty much nonexistent. You either have sufficient bandwidth between point A and point B, or you experience delay. For data, a packet can live with delay and can be compiled when at the end. If it’s voice or video, the packets have to maintain some sort of sequence although dropped packets can be masked to some extent. Regardless though, packets don’t need reservations. However, you can deliberately route to specific routes for QoS. (My friend Henry Sinnreich would say only because you are a bad Internet engineer).
Now in my past, I was an advocate for a next generation of SS7, which we called SSI. However that was at a time when dialup was prevalent. In effect, I was trying to protect the switching network with pre- and post-switch traffic management techniques. (What can I say, I’m a Bell Head!)
If we think about where we are today with the Internet Backbone, it’s clear the packet technology is doing the network core for voice calls. We are migrating to Voice over LTE for mobile. Ideally then, the only reservation that the SS7 is managing is somewhere near the termination point. It probably is the terminating tandem switch and the terminating central office. If the SS7 is being used for anything else, like session border controller [SBCs] for ingress, it’s probably redundant. If SS7 is being used for anything more substantial than egress it is probably for bypassing some tariff.
The point is that from SS7’s original intention, it is no longer appropriate. However, SS7 is used for caller ID, text messaging and law enforcement. These things keep the legacy alive. This makes SS7 a gateway interface from the Internet, which is a convoluted way of saying that SS7 no longer is a closed system.
So here is what Positive Technologies was able to accomplish.
An intruder with basic skills was able to perform dangerous attacks that may lead to direct subscriber financial loss, confidential data leakage or disruption of communication services. During network security testing, Positive Technologies experts managed to perform such attacks as discovering a subscriber’s location, disrupting a subscriber’s service, SMS interception, Unstructured Supplementary Service Data (USSD) forgery requests (and transfer of funds as a result of this attack), voice call redirection, conversation tapping and disrupting the availability of a mobile switch.
The testing revealed that even the top 10 telecommunications companies are vulnerable to these attacks. Moreover, there are reported cases of such attacks internationally, including discovering a subscriber’s location and eavesdropping on conversations.
Common characteristics of these attacks:
- An intruder doesn’t need sophisticated equipment. Positive Technologies used a popular Linux-based computer and a publicly available SDK for generating SS7 packets.
- After performing an initial attack using SS7 commands, the intruder is able to execute additional attacks using the same methods. For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages, commit fraud, etc.
- Attacks are based on legitimate SS7 messages. Therefore, you cannot simply filter messages as it may have a negative impact on the overall quality of service.
Now here comes the updated thinking. Perhaps it’s time for SS7 to be forgotten and marginalized to only doing termination reservations.
If we don’t take that radical approach of reducing the value of SS7, it will still attract hacking.
Edited by
Rory J. Thompson