Introduction to SS7 and Security
Absence of security in SS7 is identified as a weakness, but not seen as a problem due to the following:
- Existing trust relationships amongst Telcos
- Closed networks
- Only experts are working and monitoring networks
Today networks are changing and protection for SS7 is becoming a necessity due to:
- The opening of the network for various (smaller) interconnect parties and service providers
- IP access to SS7 networks
- Less experts available to monitor networks
- More SMS service providers connecting to network, increasing the possibilty of sending wrong messages without any purpose or trying to abuse the network.
- TCAP and protocols based on TCAP are more vulnerable to fraud.
- Don’t need end to end physical connections
- Used in inter-PLMN communications Preventing SS7-Based Attacks using TCAP Security
SS7 Based Security Threats
- Illegal use of HPLMN SMSC by a 3rd party.
- An MO SMS with a manipulated A-MSISDN (real or wrong) is coming into the HPLMN network from a foreign VLR (real or wrong SCCP Address).
- If the billing is made from the SMS-C data, the real subscriber will be invoiced.
- HPLMN can check the originator MSISDN (to verify if it’s a real or not).
- HPLMN can check if the VLR location stored in the HLR is in the same range with the requesting SCCP address.
Faking (MT Spoofing)
- A fake SMS is originated from the international SS7 network.
- SCCP/MAP addresses are manipulated.
- SCCP/MAP addresses are wrong or copied from a real existing SMSC.
- SMS can be sent to a real subscriber (recovering IMSI) or to a wrong IMSI (only to generate traffic).
- Controlling access to the SS7 network
- Supervision of foreign SMSC traffic
- Subscriber receives unwanted SMS.
- Sender can be valid.
- SMS can be billed correctly.
- SMS is submitted by a mobile phone or by a third party connected to the SMSC.
- Only real detection method is customer complaints.
- Repetitive content check
- SMS Firewall / SMS Router
- Massive load of messages to one or more destinations.
- The only parameter is the number of messages sent.
- May cause denial of service
- Supervision of traffic
- Unwanted signaling
- Stolen private information
- SMS Defence