SS7 exploitation and the threat it poses to mobile users’ privacy

Signalling networks enable the exchange of information that sets up, controls and terminates phone calls.

Signalling System No. 7, or SS7, is widely used by mobile companies to enable subscribers to communicate with anyone, anywhere. The central nervous system of a mobile operator’s network, it contains mission-critical real-time data such as a subscriber’s identity, status, location, and technology, providing the operator with the ability to manage communications, as well as bill subscribers for the services they provide.

As each network component in a core network uses SS7 to interface with other network components, any vulnerability related to the SS7 protocol could severely threaten the trust and privacy of subscribers.

Gaining access to the information it holds and using it for commercial or nefarious ends can prove very valuable to the right person. So when you consider that the SS7 network has more users worldwide than the Internet, it’s perhaps little surprise that operators and subscribers alike are seriously concerned about its security.

Using SS7 to exploit the mobile network

Designed for use as a ‘trusted network‘, it has since transpired that the network is not as secure as was once believed. Indeed, vulnerabilities in SS7 were being publicly discussed as long ago as 2008.

Telecom engineers had warned of possible risks and even top government officials were voicing concern about its security after a German researcher was able to demonstrate how the protocol could be used to determine the location of a mobile phone.

It wasn’t until 2013, however, that the issue gained wider public attention when it was revealed that an SS7 network had been exploited for purposes of illicit information gathering.

Subsequent incidents have since revealed that unauthorised access to the network is not only possible but far simpler to achieve than was once believed. Networks are vulnerable to fraud and misuse, with loopholes in the SS7 protocol being used to steal money, listen in on conversations, monitor messages, determine a subscriber’s location, manipulate network and subscriber data, and generally disrupt services.

In the past, safety protocols around an SS7 network’s hosts and communications channels involved physical security, making it almost impossible to obtain access through a remote unauthorised host. Today though, while the process of placing voice calls in modern mobile networks still relies on SS7 technology dating back to the 70s, the deployment of new signalling transport protocols known as SIGTRAN allow SS7 to run over IP.

Unfortunately, while this move offers the advantages of greater bandwidth, redundancy, reliability, and access to IP-based functions and applications, it has also opened up new points of vulnerability.

With the right technical skill and intent, it’s possible for someone to use SS7 to exploit the mobile network and its users.

Examples of exploitations

IMSI (International Mobile Subscriber Identity) is a unique subscriber identification used by mobile network operators, and is generally considered to be secure and confidential. Using the target subscriber’s number, however, an attacker could exploit an SS7 vulnerability to obtain the subscriber’s IMSI as part of a routine SMS delivery protocol.

By using the IMSI in conjunction with the current Mobile Switching Centre (MSC) and Visitor Location Register (VLR) address - also obtainable via an SS7 vulnerability - an attacker can leverage data commonly used for real-time tariffing of a subscriber’s incoming calls to determine the subscriber’s location to within a few hundred metres.

The combination of IMSI and current MSC/VLR address can also be used to block a subscriber from receiving incoming calls and text messages by registering the handset in a spoofed coverage zone; an experience similar to being a roaming subscriber registered on a different network.

More worryingly, a spoofed MSC/VLR zone can allow attackers to intercept incoming SMS messages, from which they can gain critical personal information and sensitive data such as one-time mobile banking passwords, two-factor authentication interactions, and password resets for various services including email accounts or social networks.

Similarly, it’s possible to intercept incoming voice calls and illegally monitor conversations, or redirect calls to expensive international numbers or pay-per-use schemes where voice traffic can be monetised.

Of considerable concern to many, USSD (Unstructured Supplementary Service Data) commands are widely used by subscribers in some markets as a means of communicating directly with the automated billing or payment services offered by mobile network providers or those partners offering monetary transactions and banking services.

Attackers are able to use USSD commands to spoof transactions such as authorising purchases or transferring funds between accounts. And, by intercepting incoming SMS messages confirming the transactions, they can go undetected for some time.

Building and implementing solutions

With potential threats to the SS7 network coming from a growing number of sources including hackers and fraudsters with criminal intent, operators are under increasing pressure to protect the privacy of their subscribers.

The mobile ecosystem has begun work on defining recommendations, and building and implementing solutions to detect and prevent potential attacks. Operators need a solution that is easy to deploy whilst being comprehensive, and which ideally should overlay existing architecture, eliminating the need and expense of redesigning that which is already in place.

Not only should it block suspicious traffic, but it should also use global threat intelligence and advanced analytics to secure the network against privacy and fraud attacks.

Mobile communications are a prime target for hackers looking to exploit personal information as well as penetrate critical infrastructure and businesses, and SS7 vulnerabilities provide the way in they’re looking for. It’s crucial therefore that the ecosystem works together to quickly find and implement protective measures now, before subscribers, businesses and even governments are severely impacted.

Ilia Abramov, Head of Security, Xura

Image Credit: Shutterstock/ a454