Mobile subscribers and operators today are exposed to a range of security vulnerabilities based on SS7 attacks. Security researchers have shown that several of these vulnerabilities are already being exploited, threatening subscriber privacy and funds, service availability, and operator revenues.
These vulnerabilities are a consequence of the increasing number of parties connected to the SS7 signaling network used for mobile communications. When this network was first established, it connected mobile operators that were largely trusted not to exploit it for profit or service disruption. Security was not an issue that was prioritized. As mobile communications has become an integral part of our society and the mobile business landscape has grown to include more players, more nodes have connected to the network. While the absolute majority of these have good intentions and adequate security in place, it is still possible for illicit actors to gain access.
To offer a secure service and protect your own business, you must face the challenge that these vulnerabilities present, understanding how they leave your network exposed and actively working to provide better protection.
An overview of SS7 vulnerabilities
GSMA divides SS7 vulnerabilities into three categories based on the general method used to exploit the network:
- Category 1: Relies on SS7 packets normally intended to be sent within a single operator network to gather information from other networks. Attacks using such packets include the ability to track subscribers down to street level.
- Category 2: Relies on SS7 packets normally sent between roamers’ home network and the networks that they are actively roaming on. Exploiting these allows an attacker to manipulate subscriber information, for example to bypass charging systems and intercept calls.
- Category 3: Relies on SS7 packets that are sent between operator networks as part of subscriber movement between networks, SMS interworking, and CAMEL operations. Among other things, vulnerabilities in this category let an attacker intercept SMS and voice calls.
Understanding these different categories also underline the need for a multi-pronged approach to protecting your network. While Category 1 attacks can be blocked by static filtering based on the location of the requesting node, Category 2 and 3 attacks require more advanced countermeasures.
Implementing efficient protection
So what must you do to protect your customers and your business? Due to lacking security in the basic architecture of the network, there is a need for every network operator to filter incoming SS7 packets to ensure that inherent vulnerabilities are not exploited. While certain filtering might be possible to perform using existing network elements, it is important to understand the what is required to achieve comprehensive protection.
At Symsoft, we have found two capabilities that are essential for any solution protecting against SS7 attacks:
- Configurable filtering based on all relevant traffic parameters: Identification of illicit traffic often require inspection of several fields in SS7 packets. Furthermore, new attack vectors may still be found by illicit actors, making it important to implement a solution that can be configured to protect against attacks using these vectors.
- Stateful analysis of SS7 traffic: Many of the attacks cannot be recognised by looking at individual packets, but must be analysed in the context of the full exchange of information. For example, a message that is perfectly valid if we can see in earlier exchanges that a subscriber is in the network requesting information should be blocked if it arrives without any such context. This requires a filter that can remember data from previous messages to take the correct course of action, blocking attacks without disrupting ordinary service.
In addition to providing these essential capabilities, a dedicated SS7 firewall also provides a centralized point for protection, which offers simpler administration compared to configuring filters on lower-level traffic elements.
The threat of SS7 attacks is real and there are solutions to protect your subscribers and your business. As a service provider, do make sure that the solutions you choose offer the capabilities needed to provide comprehensive protection for your customers and your business.
Symsoft SS7 Firewall
Symsoft SS7 Firewall is a product that performs stateful filtering of SS7 traffic to protect your network in realtime. Based on a carrier-grade platform used by over 80 operators worldwide, it is highly configurable, enabling it to adapt to new threats as they arise. For more information, go to the Symsoft SS7 Firewall page or contact us below!