Signaling security awareness
There is no such thing as a 100% secure mobile network – it’s a fact confirmed by the scientists. However, many Operators deny it and are very much convinced that their network is one of a kind – fully safe/secure. Very often this belief comes from the fact that somewhere in the past security audit was conducted and all vulnerabilities were addressed. Unfortunately, taking care of security is a continuous process – once a vulnerability is mitigated, a new attack vector appears. You can’t let your guard down and need to be one step ahead of bad actors.
To give a little background: Signaling Security topic hit the mainstream in 2014 when newspapers like Washington Post published a set of articles about SS7 security flaws. The same year, there were two lectures on the topic at the 31st Chaos Communication Congress. One by Tobias Engel titled “SS7: Locate. Track. Manipulate” and the second by Karsten Nohl – “Mobile self-defense”. The event took place over 7 years ago. From today’s point of view, the attacks they presented there are not very sophisticated, though still some of them are not properly addressed even by major Telco Operators.
Nowadays, when it comes to signaling security, two major issues are usually raised: SMS interception (primarily in the context of MFA) and Location Tracking. But there is much more into that…
Mobile networks threats
Mobile networks customers are exposed to threats that could be categorized in the following way:
- Tracking – exposing customer location (depending on the retrieved information, different accuracy can be achieved: country, state, city, street…)
- Interception – an attacker can intercept text messages and use them to hijack e-mail or Twitter account, but also can act as man-in-the-middle when it comes to voice calls and record
- Data disclosure – starting from a balance of a pre-paid account, through personal info, to authentication keys that can enable an attacker to eavesdrop on the victims’ conversation
- Denial of service – blocking of all mobile services (SMS, voice, data), or only part of them, e.g. by enabling BAOC (Barring of All Outgoing Calls)
- Fraud – depleting pre-paid account with the usage of USSD codes or setting Call Forwarding to some exotic destination
- SPAM – every mobile phone user knows what I mean 🙂
Just a few years ago, sending anyTimeInterrogation to HPLMN subscriber was enough to know his location. Nowadays, this message is filtered by the vast majority of Mobile Operators, so attackers have to resort to more sophisticated ways. Often, an attack consists of two independent steps, and a single signaling message can be used in different threats categories.
If Operator has some doubts about his signaling network security, there are two simple and non-disrupting ways to raise awareness about possible threats:
- deploying Signaling Firewall in IDS mode
Choosing a proper pentesting partner
When it comes to pentesting, choosing a proper partner is crucial. The partner does not only have to be experienced and up to date with the latest security research, but also needs to have a proper infrastructure to be able to deliver high-quality results. He has to have proper tooling that is very elastic and enables generating non-standard compliant traffic (out of the box simulators do not allow that) but what’s equally important, he needs to have several entry points into signaling network to be able to initiate traffic from the different addresses, the target network might behave differently for different e.g. SCCP Calling GTs. At the end of the pentesting process, the Operator should receive a detailed report containing vulnerabilities along with traces proving network penetration.
Real time attack detection
Regarding Signaling FW deployed as IDS (Intrusion Detection System), it can be integrated with mobile network either in overlay mode or process traffic copied from STP/DRA or even filter the traffic gathered from SPAN ports on switches. It makes it easy to integrate even in complex networks. It does not actively block/disrupt live traffic, but it monitors it and raises alarms whenever a threat is detected. It may work in near real-time mode but provide a better correlation between separate transactions. Additionally, it very often provides better analytics that can use machine learning algorithms to detect threats. Even though it does not actively protect your network, it gives you clues about the problems – some of them can be solved in different parts of your Core Network infrastructure, like HLR or STP, without introducing full Signaling FW. For example, there are several MAP messages that can disclose subscriber’s IMSI/VLR.
Depending on the type of MSU, the Operator can take different countermeasures, e.g.:
- sendRoutingInfo – should be blocked on the network border by e.g. STP (if equipped with blocking per OpCode feature)
- sendIMSI – can be blocked on the HLR
- sendRoutingInfoForSM – SMS Home Router functionality is required – usually delivered as a feature of STP or SMS Firewall
This article focuses mainly on SS7 because it is still the most widely used interconnect protocol, but similar scenarios are valid for Diameter, GTP and SIP.
If you are ready to raise your awareness about your signaling network security, let us know. We can discuss what approach is best for you. We have already conducted a lot of pentesting services and our Signaling Firewall is deployed in multiple instances on three different continents. We know the problems you struggle with.
If you want to know more you can check our signaling firewall SigWall.
Need help in signaling network security? Don’t wait any longer, meet us!