Uncovering the Hidden Risks: A Comprehensive Guide to GSMA SS7 Security - SecurityGen/secgen GitHub Wiki
What are the security issues with SS7?
SS7 has been in the network since the mid-1980s, controlling wireline and wireless calls, and now we're talking about its flaws. Many people believe that we should only focus on the evolution to LTE/EPC Diameter networks, but the legacy SS7 protocol-based networks still serve the vast majority of wireless subscribers. Because SS7 is expected to be around for a long time, any vulnerabilities should be addressed as soon as possible. Before we can see these threats, we must and should understand what they are and how they are even possible, given the longevity of the network and protocols.
Table of Contents
What are the security issues with SS7?
Obtaining the IMSI of the Subscriber
Determining the location of the subscriber
Monitoring and intercepting an outgoing call
Monitoring and intercepting an incoming call
Intercepting SMS (Text) messages of subscribers
Disruption of subscriber availability
Manipulating USSD Request
Manipulating a subscribers profile in the Visitor Location Register (VLR)
How many categories are included in GSMA SS7 firewall guidelines?
What is the SS7 Firewall?
Does 5G use SS7?
What are the security issues with SS7?
Signaling System Number 7 is abbreviated as SS7. It refers to mobile phone networks' protocols to exchange data to process voice calls and text messages. It also ensures the customer is charged the correct amount based on their tariff.
When visiting a foreign country, users on a network in their home country can roam on another network using SS7. Although it has been used in the United States since the mid-1970s, SS7 became the international standard in 1998, and the most recent version was released in the early 1990s. It is still the same standard used by mobile phone networks today.
Below mentioned are the security risks associated with SS7
Obtaining the IMSI of the Subscriber
An attacker can obtain the IMSI by utilizing the SS7 Mobile Application Part (MAP) and its standard procedure for delivering a text message to a subscriber. All the attacker needed was the target subscriber's phone number, network access, and a basic understanding of the target's home SS7 network.
Determining the location of the subscriber
An attacker disguises himself as a Fake Home Location Register and employs standard MAP messages and procedures known as Provide Subscriber information. This process returns the Cell ID, Mobile Country Code (MCC), and Location Area Code, all related to the target subscriber's current location.
Monitoring and intercepting an outgoing call
This threat employs the Customized Applications for Mobile Networks Enhanced Logic Application Part (CAP) protocol and logic. CAP enables network operators to define services in addition to the standard Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications Systems (UMTS) services.
Monitoring and intercepting an incoming call
Attack employs SS7 MAP messaging and procedures for a common subscriber call-forwarding feature but is activated at the SS7 level without the target's knowledge. It also employs a bridging/monitoring/recording system to connect two calls. After canceling call forwarding, the intruder places a second call leg to the original called party.
Intercepting SMS (Text) messages of subscribers
The attacker will pose as an MSC/VLR and send a MAP-Update-Location (UL) Request message directly to the subscriber's HLR. After completing this procedure, SMS messages will be sent to the intruder posing as a Fake MSC serving the target subscriber. This attack can obtain target subscribers' passwords, reset passwords, and gain complete access to their accounts.
Disruption of subscriber availability
In this attack, an intruder will impersonate an MSC/VLR and send a MAP-Update-Location (UL) Request message to the subscriber's HLR. After completing the Update Location procedures, the subscriber will be unable to receive incoming messages or calls.
Manipulating USSD Request
For online banking, mobile prepaid, and other financially sensitive applications, Unstructured Supplementary Service Data (USSD) is used. Fraud involving USSD can have serious financial consequences for subscribers, network operators, financial institutions, and others. In this multi-staged attack, the intruder poses as a Short Message Service Center (SMSC) and requests funds transfer from the target subscriber account to the intruder's account.
Changing a user's profile in the Visitor Location Register (VLR) When an intruder has access to the subscriber identity (MSIDN, IMSI), the serving address (MSC/VLR), and the format of the subscriber profile, they can change billing routing, allowing them to:
Subscriber service disruption
Making fraudulent calls using the subscriber's mobile station.
In this attack, the intruder flashes as an HLR and sends a bogus subscriber profile to the serving MSC/VLR, invoking the desired services of the intruder. Among these services are:
Getting around billing services Call forwarding can be enabled or disabled. Calls to the target subscriber are prohibited, among other things.
How many categories are included in GSMA SS7 firewall guidelines?
The GSMA SS7 Security regularly updates its "SS7 Interconnect Security" guidelines, also known as the FS.11 recommendations. In general, these recommendations define three categories:
Category 1: Messages received only from within the same network are unauthorized at the interconnect level and should not be sent between operators unless an explicit bilateral agreement exists.
Category 2: Messages should be received only from subscribers visiting their home network. These should normally only be received from the home network of an inbound roamer and require intra-packet logic to detect anomalies on inbound or outbound packets.
Category 3: Messages should only be received from the network visited by the subscriber. Specifically, MAP packets are permitted to be sent on mobile operator interconnects. To detect anomalies, additional, advanced inter-packet logic must be used. Messages indicating an unusually rapid change of location (as measured by consecutive Location Updates from non-bordering countries within a short period) should be filtered.
What is the SS7 Firewall?
The SS7 Firewall is a "signalling firewall" that safeguards mobile operators against SS7 attacks. The SS7 Firewall protects SS7-based legacy networks from potential attacks, unauthorized senders, malformed messages, stolen mobile identities, and other threats. The SS7 Firewall follows the FS.11 GSMA security guidelines for SS7 signaling firewalls.
The SS7 Firewall is a single-engine software solution that supports various signaling protocols, including Diameter, HTTP/2, and SS7. Nomios considers a threat to one domain a threat to all domains. As a result, the signaling Firewall provides service providers with a path to gradual migration and centralized security architecture across Diameter, SS7, and HTTP/2, which are all required for 5G signaling operations.
Does 5G use SS7?
SS7 is still the most widely used protocol technology, and while Diameter adoption is increasing, 5G will bring HTTP/2 to the Mobile core. Mobile networks have never been more vulnerable to attacks from the connected world.
As you can see, vulnerabilities and fraud within the SS7 protocol and network are a major concern. Let's change the protocol and network, but this is not possible for various reasons, as discussed. The ultimate solution to these protocol and network issues is to install a network security firewall. This Firewall should include the policies necessary to address the currently defined threats and be easily adaptable to address future threats as they emerge. To achieve these tasks, the SS7 signaling firewall should be capable of real-time monitoring and detection of both known and unknown threats.