in Security

Positive Technologies' report highlights SS7 cellular networks' vulnerability

Posted 23 August 2016 · Add Comment

Research published today by Positive Technologies reveals that all the Signalling System No.7 (SS7) cellular networks it tested could be exploited, turning a mobile phone into an open book.

Click on above to access report

With access to SS7 and a victim’s phone number, an attacker can listen to a conversation, pinpoint a person’s location, intercept short message service (SMS) messages (allowing access to third party services – such as bank and social media accounts), impersonate a user to send texts and make phone calls from the user’s mobile number, plus a number of other attacks.

This problem is not just a consumer one as the mobile operators are also in a position of losing multi millions of dollars through fraud and operational issues as well as the risk of the impact on their brand and reputation. The techniques can be used by intelligence services and also hackers.

Alex Mathews, Technical Manager EMEA, of Positive Technologies explains, “As our research shows the SS7 system is riddled with security vulnerabilities. While many will argue that this does not pose a risk to subscribers or operators, as it is a closed system with access restricted, that simply is no longer true.

"Originally created in the 1970s, the network was designed to interconnect fixed telephony. Over the years it has evolved in both size and supported protocols encompassing not only fixed telephony, but also facilitate GSM/3G/LTE communications offered by Mobile Network Operators (MNOs), and extended to value added service providers (MVNOs) plus IPBX services.

"Today it allows the use of IP networks to transfer signalling messages and, with this innovation, the network stopped being isolated. We all need to wake up to the realisation that SS7 exploits can turn a cell phone into an open book, allowing an attacker to read SMS messages, locate where a handset is, eavesdrop and even record conversations.

"Our research has also identified that hackers could compromise an operator’s network to perform a massive denial of service attack, affecting its entire network and preventing it from providing any and all of its services to users. Perhaps of greater concern is that our research indicates the problems aren’t limited to SS7, with these legacy flaws also present in newer 4G networks, plus new vulnerabilities may have been introduced. Mobile communications cannot be allowed to remain vulnerable. People and industries will continue to use and depend on these communication networks and we all need to work together to find a way to make these networks robust and secure, to stop exacerbating the problem in the future.”

Recognising the risks of SS7 manipulation, the National Institute of Standards and Technology (NIST- the US federal technology agency that works with industry to develop and apply technology, measurements, and standards) is no longer recommending two-factor authentication systems that use SMS. In the latest draft of its Digital Authentication Guideline it advised that:
'Out of band authentication using SMS is deprecated, and will no longer be allowed in future releases of this guidance'.

Positive Technologies’ security analysis examined the SS7 networks of various operators ranging in subscriber base from sub 10 million and in to the 10s of millions of subscribers and found all were exploitable. With multiple SS7 vulnerabilities and equipment configuration errors, these flaws offer a wide surface for a potential attack.

Its analysis showed that each and every SS7 network tested was susceptible to multiple attacks (nine on average). Many had more than three vulnerabilities that could be exploited due to an inability to check whether a subscriber belonged to a particular network. In most cases these flaws are actually critical to the systems functionality.

As expected, small mobile operators were less protected against outsider threats. However, even the leading cellular carriers were unable to provide a sufficient level of security, and the percentage of successful attacks was significant in all cases. The study found that 80% of DoS attacks, 77% of leakage attacks, and 67% of fraudulent actions were successful.

Mr Mathews concluded: “Obtaining access to the SS7 network is relatively easy. For example, an attacker can purchase access through the black market for several thousand dollars or even obtain an operator’s license in countries with lax laws. A rogue engineer, that works within an operator, may abuse their access to SS7 connections - typically via a laptop with specialist software installed or perhaps a raspberry PI device.

"In order to reduce risk, operators must employ a global approach to SS7 protection. At a minimum this means conducting regular security audits of the signalling network and developing appropriate measures to mitigate risk based on vulnerabilities as they evolve. Just as users expect their voice calls to be clear and their internet connection reliable, their communications should also be secure as standard.”


* required field

Post a comment

Other Stories
Latest News

Rolls-Royce to supply propellers and mission bay tech for Royal Navy’s Type 26

Rolls-Royce has signed two contracts with BAE Systems to supply low-noise propellers and mission bay handling technologies for the UK Royal Navy’s new Type 26 Global Combat Ship.

Air Malta launches routes to Malta, Sardinia and Sicily from Southend Airport

Today Air Malta introduced four new routes; Malta to London Southend, Malta to Cagliari and flights between London Southend, Catania and Cagliari.

Airbus delivers its first A350-1000 to launch customer Qatar Airways

Airbus has delivered the world’s first A350-1000 widebody airliner to launch customer Qatar Airways at a delivery event in Toulouse, France.

Hexcel advances A350 structural support

Hexcel - whose HexPly M21E/IMA carbon fiber/epoxy prepreg is used to manufacture all composite primary structures of the A350 XWB - has (for the first time on an Airbus aircraft) had its HexMC carbon fiber/epoxy molding compound used for

UK Power Networks Services to transform Manchester Airport's power infrastructure

Today UK Power Networks Services signed a contract to provide vital power infrastructure services for Manchester Airport, the UK’s third busiest airport, a key project to help deliver its £1 billion transformation programme.

Students thrust magnesium into the spotlight

Students in Birmingham, UK, are being challenged to showcase the potential uses of magnesium within the aerospace sector as part of a competition being set by Birmingham City University and the world’s largest producer of magnesium

ODU SK191217191218
See us at
SMI FAVSABT2411120418FIL18 BT111017220718SMI FAVWSBT1402060618SMI HelicopterTBT1402240518Aviation Africa BT18418S&P BT281117080318