In recent weeks, following an episode of 60 Minutes, you may have heard of the SS7 protocol or SS7 network. For anyone unfamiliar with the technology - and you’re in the majority - the SS7 protocol underpins the world’s mobile networks. It possesses more daily users than the internet and must be used in every instance to send a text or make a phone call, among other uses.
The protocol was established when the first mobile operators were born, and has been used ever since. The original design assumptions were that access to the SS7 network would be strictly limited to the small group of mobile operators who used it to communicate with and bill each other. The challenge now is that we live in a world with a global mobile network, with operators in every geography, and many more access points to the SS7 network than ever before.
Skilled hackers with expert knowledge can infiltrate the SS7 network to do things such as intercept messages and calls, track a mobile subscriber’s location or alter phone credit amounts – without detection.
60 Minutes ran an episode focusing on this vulnerability, and (with permission) how they could record a politician’s phone calls by exploiting a security flaw in SS7. The program took a look specifically at whether intelligence agencies such as the CIA or NSA could be using these techniques. There are in fact several sources of evidence to suggest that intelligence agencies might be using SS7 vulnerabilities to monitor and track individuals/VIPs.
Interception and tracking have been detected and reported by Government state agencies including the Ukrainian secret service (SBU). The SBU recently investigated suspicious Russian-originated activity which included call interceptions on its mobile networks. As a result, new legislation has been submitted that could allow Ukrainian security services to listen (legally) to subscribers of foreign mobile operators.
Through our own analysis of mobile networks around the globe, we have uncovered several highly sophisticated global tracking platforms engaging in the attempted tracking and interception of individuals. Specifically, earlier this year four tracking platforms were discovered monitoring the location of subscribers, spanning multi-operators and multi-countries. While we have no direct evidence to prove this, the complexity, tactics, resemblance to known espionage systems and a global focused surveillance effort lead us to suspect a motive of espionage in these instances.
Finally, background materials released in leaks have shown that some intelligence agencies are collecting information to support attacks. As part of the Edward Snowden revelations in 2014, there was the disclosure of a project called Auroragold within the NSA.
Auroragold is an interesting case because it was set up to collect information on mobile operators. This was achieved through the interception and collection of sensitive documents called IR.21s, that operators use to enable subscribers to interact and roam between other networks, and allow networks to accurately bill each other. Auroragold obtained IR.21s in a number of ways, its stated aim being to better understand today’s networks and predict future trends to benefit other agencies within the NSA, other agencies including protocol exploitation elements.
Although an IR.21 is not enough to execute an SS7 attack, it reveals information about a network, such as what network elements are available as well as the types of subscribers and network numbers they use. Our own research has shown that mobile network hackers attempt to identify new network elements to better inform their attacks, so information contained in IR.21s would be beneficial for someone looking to exploit the protocol. Espionage is all about intelligence gathering, and every piece of info helps.
Event in Norway
The 60 Minutes program discussed how the average person is not likely to be affected by SS7 attacks. However, though it’s right to say that the ‘average’ person may not be specifically targeted (our investigations show this to be true) this does not mean they cannot be affected. A real example of this took place recently in the largest mobile network in Norway.
On the morning of 19 February, more than one million mobile subscribers of the Telenor Norway network found themselves without cellular coverage for three and a half hours because of an external SS7 'event'. As Telenor later explained, it had received packets over the SS7 network from external sources in an unexpected format, which made a key part of the network enter an ‘infinite loop’, resulting in activity ceasing across the entire network.
Telenor reported that the source of these SS7 packets was a network operator in Luxembourg that had been carrying out an SS7 vulnerability analysis of other telecom operators to determine if there was leakage of subscriber information. It was doing this in conjunction with a security consultancy, and without prior consent. Subsequent statements clarified that the outage was caused by a technical fault in the way Telenor’s HLR was handling received packets, but it showed the huge impact an SS7 event could have unintentionally, and serves to give us warning of what damage a deliberate and malicious attack could cause.
So we’ve seen how critical the SS7 network is and how successful attacks leave a nation’s infrastructure vulnerable. While many of the SS7 events we have uncovered are location-tracking or call interception attempts, the Telenor incident warns that denial-of-service attacks are also possible.
The mobile community is working to address these threats. The GSMA, security vendors and mobile operators are collaborating to better understand sophisticated adversaries' means and ways of exploiting networks. Future networks require the same degree of protection across all network types, be it GSM, CDMA and LTE as Diameter becomes a target of exploitation, and AdaptiveMobile is working with operators to protect against these network exploitations.
With so many people dependent on mobile devices to communicate and work, mobile network security is more important than ever.
Cathal McDaid, Head of AdaptiveMobile Threat Intelligence Unit
Image source: Shutterstock/GiDesign