September 1, 2015

Is the SS7 Network open to attacks and if so what can we do about it?


Security within the SS7 network has been discussed from the beginning of network deployment dating back to the mid 1980s. However, the recent attention given to SS7 vulnerabilities is linked to articles in the Washington Post and the presentations given by two German Researchers at the Hacker conference Chaos Communication Congress 31c3, December 2014, in Hamburg Germany. At this conference Tobias Engel and Karsten Nohl presented some scenarios that should shake the network and all associated network operators to their very core. But the questions arises “What are we to do about these vulnerabilities?”

  • Should we change the protocol immediately?
  • Should the SS7 Signal Transfer Point be upgraded to handle the attacks?
  • Should the software in all associated nodes be changed to recognize the threats and deal with them?
  • Should we simply wait until LTE/EPC Diameter network replace the SS7 networks?
  • Should new devices such as an SS7 Firewalls be developed to deal with these threats and the SS7 messaging levels?

Should we change the protocol immediately?

The SS7/C7 protocol and its associated overlay, out of band signalling network was designed in the early 1980s with major deployment starting in the mid 1980s. During this time there were a limited number of network operators worldwide and the relationship between operators was one of trust. The networks were typically wire-line and SS7/C7 access was through physical connectivity creating a walled garden approach to security. Since the initial deployment the use of SS7 has grown to control the majority of all networks globally. To change the protocol the standardization bodies would have to develop new specifications, network equipment vendors would have to implement the new standards in their softwares and network operators would have to upgrade all of their switches and use the new versions of softwares. This task would be monumental and extremely costly and there is no guarantee that the attackers could not find other vulnerabilities not covered by the software or specifications.

Should the SS7 Signal Transfer Point (STP) be upgraded to handle the attacks?

SS7 STPs are defined as the SS7 routers within the network. A feature specifically designed for the STP — Gateway Screening provides some degree of security for SS7 messages entering a network. The criteria that an STP uses to determine which messages are allowed or blocked is limited to network addresses (Originating Point Codes (OPC), Destination Point Codes (DPC), Message types (defined by Service Information Octets (SIO) and some Signaling Connection Control Part (SCCP) information such as Global Title Translation (GTT). In the mobile telecommunications environment where any subscriber can be roaming and calling anyone in the world these criteria for screening are not sufficient in providing security at the Mobile Application Part (MAP) or CAMEL Application Part of the SS7 protocol. The STP was not designed to address the protocol at the upper levels of the SS7 protocol – to change their function to look into these upper levels could change the entire design and possibly limit their ability to handle the message capacity required for either normal routing or security.

Should the software in all associated nodes be changed to recognize the threats and deal with them?

Another approach to solving the security issues might be for network equipment vendors to place intelligence in their software to circumvent these threats. This software would have to be upgraded in most of the network equipment including Mobile Switching Center (MSC), Gateway MSC (GMSC), Home Location Registers (HLR), and Visitor Location Registers (VLR). The problem with this approach is that these upgrades would have to be preformed in an extremely large quantity of network nodes. Additionally most network equipment vendors are in the sustaining mode for SS7 based equipment and have moved the majority of their resources to designing and implementing the 4G-LTE/EPC Diameter based equipment.

Should we simply wait until LTE/EPC Diameter networks replace the SS7 networks?

Even though the 4G-LTE/EPC Diameter technologies is the fastest deployed network in telecommunication history, the fact remains that the vast majority of mobile customers worldwide are still served by SS7 based networks. Currently, there are 3.7+ billion mobile subscribers worldwide served by SS7 networks, which is 86.6% of the total mobile population. With this large population of SS7 based subscribers it seems that the SS7 network will be with us for some time therefore the security of the network cannot be delayed waiting on a new technology. Moreover some of the same concepts that are used in the SS7 network have been ported over to the LTEW/EPC Diameter environment.

Should new devices such as an SS7 Firewall be developed to deal with these threats and the SS7 messaging levels?

At the sake of overstating the obvious is seems that the best approach to solving the SS7 security dilemma is to implement SS7 security firewalls at the MAP and CAP levels. The SS7 firewall could implement policies to address currently defined security threats, monitor for new threats and develop new policies to stop new threats. These SS7 firewalls could also be provisioned with the Diameter Protocol and be used to stop new and or equivalent threats in the LTE/EPC Diameter based networks as well.

Categorised in:

September 1, 2015