1 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Signaling Security - The Old and New threat

Bill WelchJune 2016

2 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

BackgroundSS7 is not secure. Never has been.

No longer a Closed and Trusted Community.

Hacker access is easy.

Services and Applications using SS7 has grown beyond original designs.

A recent video article by 60 Minutes and previous research by German researchers at Hacking conference have provided a spotlight to expose SS7 vulnerabilities

Hacking SS7 networks is a way to make

money.

3 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Effects todayCarriers are forced

to pay other Carriers with no compensation

Locate a target using only a phone number

Make free calls / send free SMS / use free data

Prevent a victim from receiving

service

Overload core network with a DDOS attack

Eavesdrop on a victims phone calls / SMS message

Generate thousands of premium rate phone calls

4 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Threat Description

Tracking Tracking a subscribers location down to the Cell-ID level

Intercept Man-in-the-middle attacks to eavesdrop on voice calls and SMS

Fraud Subscriber and Carrier Levels

Denial of Service

Prevent victim from using network service (Voice / Data / SMS)

Spam Forwarding of SMS directly to victims network

SS7 Vulnerabilities

*Source: Cellusys Signaling Firewall Introduction 2016 and SS7 Vulnerabilities ebook www.cellusys.com

SS7 Access is Easy to Obtain and is Happening.

5 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Example Hack Hacker first obtains subscriber information and then executes fraudulent SMS forwarding

Hacker is able to see all SMS messages but Subscriber no longer sees messages. Hacker goes to Bank or Credit card Web site and asked for password to be reset via SMS message

Subscriber is locked out of bank/CC account Hacker make fraudulent charges or hold account in ransom with the subscriber

Gaining Access to Financial information

6 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Example Hack Call forwarding is setup for one phone to forward all calls to premium number (900) or international service.

Multiple parallel calls are made to forwarded phone number to run up charges

Lost per hour at $3 to $5K per hour per forwarded number

Call Forwarding to Premium number

7 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

OTT messaging and voice Applications must be safe as they talk about security and use encryption

But they are only as strong as their weakest link

Many of them inter-connect with or rely on SS7 network for password resets

A recent article demonstrates how WhatsApp and Telegram was compromised using SS7 link

OTT Apps must be Safe

8 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Hackers - Who and Why

Skill Level

Difficulty of Detection & Prevention

Hobbyist- Adventure- Embarrassment

Professional- Looking to Profit- Profits continue as long as they are not detected

Sleeper - Very Professional- Lawful or other intercept- Network shutdown- Commercial Intelligence- Other intelligence

Network Errors

9 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Cost of doing nothing

Thief of service

Lost Revenue.

Eternal Payments

Eavesdropping of calls and text

Negative Media event Brand

impact

Fines from Local Regulators Direct impact to bottom

line

Congressional hearings and unwanted regulation of industry

Network DDOS attack

Service impact to all subscribers

Revenue loss

Loss Subscribers to competition

Thief of Subscribers personal information

Criminal and Civil Lawsuits

Fines from regulators

Loss of confidence with Business partners

10 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Are you at Risk

Source: http://ss7map.p1sec.com/

11 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Industry Response

Share and Compare information with other Carriers

GSMA Fraud and Security Group GSMA PRD FS.11 SS7 interconnect Security Monitoring Guidelines

GSMA PRD FS.07 SS7 and SIGTRAN Network Security Issues

GSMA PRD IR.70 SMS SS7 Fraud

GSMA PRD IR.71 SMS SS7 Fraud Prevention

IR.82 Security SS7 implementation on SS7 network guidelines

Compare with

Finances

Know your Traffic flows

Think Like an

Accountant

Monitor Long

Duration

ACT

GSMA is identify, categorize and remedy threads in IR.82

12 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Minimum Steps For Carriers

Never leak the IMSI of your subscribers

Block external signalling messages that are not permitted

Authenticate the sender where messages are permitted from external sources

Audit networks and financial information

Note: GSMA IR82 contains details of the above.

13 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

Multi-layer defense

Transport Layer

IP Firewall Network deviceaccess

DOS/DDOS IPSEC

Application Layer

STP / DSC SS7 Advanced Gateway Screening

Gateway Statistics MAP / CAP layerparameters

Message Context SS7 Firewall SMS Fraud DiameterFirewall

Full message inspection

X X

IP FW + Security SS7 STP Signaling FW

X

14 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY

When was the last time a security audit was performed on SS7 network?

Am I under Attack right now and vulnerable to future attach?

Do I have Multi-layer Security architecture for Signaling?

Am I leaking IMSI information today?

Are their legitimate messages coming from questionable sources?

Sonus and Cellusys can help today

Further information here:http://www.sonus.net/solutions/mobile-network-operator-solutions/ss7-security

Act Now

15 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY