What’s being done about SS7 network security vulnerabilities?
We love our mobile devices. They keep us informed, let us communicate with co-workers and enable us to work on the move. Yet, how easy is it for these devices to be hacked or tracked?
Well, answers may vary, but with increasing interest on SS7 security flaws from global mainstream media, network operators and subscribers, there’s certainly a lot of focus on mobile device security.
The problem stems from the fact that the vast majority of mobile subscribers are still being served by SS7 protocol-based networks – more than four billion worldwide, making up 87% of the total mobile population, according to IHS Technology’s VoLTE Services & Subscribers Market Tracker.
But before I get too deep, let’s take a step back and address what SS7 is, the associated security threats and what operators can do to ensure reliable and secure communications in today’s interconnected world, says Bill Welch, senior director of Signalling Solutions at Sonus.
SS7 stands for Signalling System 7 and is a set of telephony signalling protocols developed in 1975. The protocols are used as telecommunications standards by network operators to setup and teardown calls, route SMS messages, support inter-network connectivity and transparent roaming, and provide per-session information.
Because SS7 networks were originally designed to work within an operator’s trusted domain or to interwork between trusted operators, security was not a top design consideration and was never adequately addressed. As SS7 networks have expanded outside of trusted operator environments, security vulnerabilities have been exposed. The most recent of which was highlighted in a 60 Minutes exposé of a US Congressman’s phone being hacked.
It might seem logical to think that if government officials are being targeted, operators should abandon the SS7 network. Yet, these networks are sticking around for a number of reasons. And although there is a lot of discussion around the migration to Diameter and LTE networks, indications are that SS7 will be around for quite a few years.
In fact, according to GSMA reports, subscriber and usage growth in SS7-based 3G networks is expected well into 2020. The reasoning? Mobile service providers rely on the SS7 network to interconnect their networks with other service providers so consumers have seamless communications experience as they move into and out of different mobile towers and countries. In addition, SS7 networks are used by most major OTT service providers such as Google, Facebook and Amazon to provide SMS/text message for user validation, registration and a myriad of other functions.
But as we stated earlier, as SS7 networks continue to expand outside trusted operator environments, security exposures have revealed network vulnerabilities. The 60 Minutes piece I referenced earlier, emphasized how easy and inexpensive it is for hackers to access the SS7 network.
For instance, it is possible to use legitimate functions associated with SMS to gain access to subscriber information or to a subscriber’s location. Both of which open up the subscriber to other threats, and worse, put them at risk to have the information sold on the open market as a source of revenue.
Hackers can also act as a “man-in-the-middle” and eavesdrop on subscriber traffic, enabling them to listen to, or record, a conversation or intercept important text messages. Mobile network operators aren’t completely safe either. From financial theft to disruption of subscriber service, they’re at risk too.
So how can mobile network operators address SS7 security flaws? According to Stephane Teral, senior research director at IHS Technology, they will look to vendor solutions to provide mitigation and protect their customers from attacks. But what should these solutions look like and how would they work?
Operators should look for a multi-layer security solution that leverages existing STP gateway screening capabilities and incrementally adds Signalling Firewall capabilities to address the need for context-sensitive assessment on SS7 messages. With a multi-layer solution, the STP provides gateway screening based on a definition of rules per linkset, which specify which SS7 messages are allowed or disallowed to enter an operator’s network.
The STP can then forward potentially fraudulent SS7 messages to the Signalling Firewall for further assessment and analysis. The Signalling Firewall will provide context and stateful message assessment and where necessary return error messages to prevent information from being exposed.
By addressing SS7 security flaws using an optimal, multi-layer solution, vendors can help mobile network operators increase subscriber trust levels, decrease churn rates and most importantly, protect your mobile devices.
The author of this blog is Bill Welch, senior director of Signalling Solutions at Sonus.
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus