SS7 security

The Signaling System 7 aka SS7

• The nervous system
  • Of both he telecommunication network and the mobile communication network.
  • Allows network elements to communicate, collaborate and 
deliver telecommunication services to the users.
• Used to be a walled garden system
  • Network of trusted operators.
  • No need for security.

New era: Emergence of threats

• Deregulation
  • Removed the monopoly of telecom operators.
  • Opened the market for less trusted parties.
• Transition to IP
  • Paved the way for innovative services.
  • Inherited weaknesses of IP.
• Advances in microelectronics
  • Cheaper equipment to launch attacks.
• Open source mobile communication
  • Enabled the construction of fake base station.

Publicly disclosed SS7 attacks

• Attackers are able to
  • Track the location of subscribers.
  • Intercept calls and SMS.
  • Commit fraud.
  • Deny service to subscribers..
• Requirements for attackers
  • Must be connected to the SS7 network.
  • Be able to generate arbitrary messages.
  • Must be able to imitate an element in the core network by providing SS7 capability.

SS7 Messages used in attacks

• Category 1:
  • Messages that has no legitimate use case for external exposures are as follows:.
  • sendIdentification (SI) – anyTimeInterrogation (ATI) – anyTImeModification (ATM) – provideSubscriberLocation (PSL).
• Category 2:
  • Messages that has no legitimate need to be exposed externally for the operator’s own subscribers, but can be received for other operator’s roaming subscribers as follows:
  • provideSubscriberInformation (PSI) – insertSubscriberData (ISD) + gsmSCF – insertSubscriberData – deletedSubscriberData (DSL).
• Category 3:
  • Messages that has legitimate need for external exposure. These are the following:
  • updateLocation (UL) – sendAuthenticatioInfo (SAI) – registerSS – eraseSS – processUnstructuredSS (PSU) – cancelLocation (CL) - sendRoutingInfor-mation(SRI-SM, SRI-LCS).

How is the situation with other operators

• To be updated if approved for publishing

SS7 security

• SS7 is no longer secured.
• It is necessary to separate their home SS7 portion from the global network and provide adequate protection.
• It is necessary to perform border control to block illegitimate SS7 messages to penetrate the network.

Detection methods and challenges

• Category 1
  • Simple filter can be used to identify and block them to prevent attacks.
• Category 2
  • More advanced filters using the correlation between roaming users and their home operators can be employed to block unwanted messages.
  • Unfortunately, such filtering will not be able to protect roaming users.
• Category 3
  • No usable filter to detect attacks because complex correlations with further information on the current user state e.g. last cell ID.
  • Indeed the signatures for attacks using category 3 messages can hardly be determined.

Testing environment: Purposes

• Simulate SS7 attacks
• Test machine learning for detection

Testing environment: SS7 stack simulator

Testing environment: SS7 attack simulator

SS7 attack simulator: Different simulated attacks

• Location tracking by sending ATI message.
• Location tracking by sending PSI message.
• Intercepting SMS.

SS7 attack simulator: Simulated nodes

SS7 attack simulator: Flow chart

SS7 attack simulator: A scenario

• 10 subcribers including a VIP user.
• The VIP user is attacked by Intercept SMS.

SS7 attack simulator: A demo

Location tracking ATI attack

Location tracking PSI attack

Intercepting SMS attack

Big data platform to support SS7 attack detection

How machine learning can help

SMS intercepting attack: Faking a subcriber and updating a false location.

SMS intercepting attack: Receiving all SMS set to the subcriber.

Test results: K-mean clustering of user behavior

Test results: Anomaly detection of user behavior