Positive Technologies' report highlights SS7 cellular networks' vulnerability

Click on above to access report

With access to SS7 and a victim’s phone number, an attacker can listen to a conversation, pinpoint a person’s location, intercept short message service (SMS) messages (allowing access to third party services – such as bank and social media accounts), impersonate a user to send texts and make phone calls from the user’s mobile number, plus a number of other attacks.

This problem is not just a consumer one as the mobile operators are also in a position of losing multi millions of dollars through fraud and operational issues as well as the risk of the impact on their brand and reputation. The techniques can be used by intelligence services and also hackers.

Alex Mathews, Technical Manager EMEA, of Positive Technologies explains, “As our research shows the SS7 system is riddled with security vulnerabilities. While many will argue that this does not pose a risk to subscribers or operators, as it is a closed system with access restricted, that simply is no longer true.

"Originally created in the 1970s, the network was designed to interconnect fixed telephony. Over the years it has evolved in both size and supported protocols encompassing not only fixed telephony, but also facilitate GSM/3G/LTE communications offered by Mobile Network Operators (MNOs), and extended to value added service providers (MVNOs) plus IPBX services.

"Today it allows the use of IP networks to transfer signalling messages and, with this innovation, the network stopped being isolated. We all need to wake up to the realisation that SS7 exploits can turn a cell phone into an open book, allowing an attacker to read SMS messages, locate where a handset is, eavesdrop and even record conversations.

"Our research has also identified that hackers could compromise an operator’s network to perform a massive denial of service attack, affecting its entire network and preventing it from providing any and all of its services to users. Perhaps of greater concern is that our research indicates the problems aren’t limited to SS7, with these legacy flaws also present in newer 4G networks, plus new vulnerabilities may have been introduced. Mobile communications cannot be allowed to remain vulnerable. People and industries will continue to use and depend on these communication networks and we all need to work together to find a way to make these networks robust and secure, to stop exacerbating the problem in the future.”

Recognising the risks of SS7 manipulation, the National Institute of Standards and Technology (NIST- the US federal technology agency that works with industry to develop and apply technology, measurements, and standards) is no longer recommending two-factor authentication systems that use SMS. In the latest draft of its Digital Authentication Guideline it advised that:
'Out of band authentication using SMS is deprecated, and will no longer be allowed in future releases of this guidance'.

Positive Technologies’ security analysis examined the SS7 networks of various operators ranging in subscriber base from sub 10 million and in to the 10s of millions of subscribers and found all were exploitable. With multiple SS7 vulnerabilities and equipment configuration errors, these flaws offer a wide surface for a potential attack.

Its analysis showed that each and every SS7 network tested was susceptible to multiple attacks (nine on average). Many had more than three vulnerabilities that could be exploited due to an inability to check whether a subscriber belonged to a particular network. In most cases these flaws are actually critical to the systems functionality.

As expected, small mobile operators were less protected against outsider threats. However, even the leading cellular carriers were unable to provide a sufficient level of security, and the percentage of successful attacks was significant in all cases. The study found that 80% of DoS attacks, 77% of leakage attacks, and 67% of fraudulent actions were successful.

Mr Mathews concluded: “Obtaining access to the SS7 network is relatively easy. For example, an attacker can purchase access through the black market for several thousand dollars or even obtain an operator’s license in countries with lax laws. A rogue engineer, that works within an operator, may abuse their access to SS7 connections - typically via a laptop with specialist software installed or perhaps a raspberry PI device.

"In order to reduce risk, operators must employ a global approach to SS7 protection. At a minimum this means conducting regular security audits of the signalling network and developing appropriate measures to mitigate risk based on vulnerabilities as they evolve. Just as users expect their voice calls to be clear and their internet connection reliable, their communications should also be secure as standard.”