in Security

Positive Technologies' report highlights SS7 cellular networks' vulnerability

Posted 23 August 2016 · Add Comment

Research published today by Positive Technologies reveals that all the Signalling System No.7 (SS7) cellular networks it tested could be exploited, turning a mobile phone into an open book.

Click on above to access report

With access to SS7 and a victim’s phone number, an attacker can listen to a conversation, pinpoint a person’s location, intercept short message service (SMS) messages (allowing access to third party services – such as bank and social media accounts), impersonate a user to send texts and make phone calls from the user’s mobile number, plus a number of other attacks.

This problem is not just a consumer one as the mobile operators are also in a position of losing multi millions of dollars through fraud and operational issues as well as the risk of the impact on their brand and reputation. The techniques can be used by intelligence services and also hackers.

Alex Mathews, Technical Manager EMEA, of Positive Technologies explains, “As our research shows the SS7 system is riddled with security vulnerabilities. While many will argue that this does not pose a risk to subscribers or operators, as it is a closed system with access restricted, that simply is no longer true.

"Originally created in the 1970s, the network was designed to interconnect fixed telephony. Over the years it has evolved in both size and supported protocols encompassing not only fixed telephony, but also facilitate GSM/3G/LTE communications offered by Mobile Network Operators (MNOs), and extended to value added service providers (MVNOs) plus IPBX services.

"Today it allows the use of IP networks to transfer signalling messages and, with this innovation, the network stopped being isolated. We all need to wake up to the realisation that SS7 exploits can turn a cell phone into an open book, allowing an attacker to read SMS messages, locate where a handset is, eavesdrop and even record conversations.

"Our research has also identified that hackers could compromise an operator’s network to perform a massive denial of service attack, affecting its entire network and preventing it from providing any and all of its services to users. Perhaps of greater concern is that our research indicates the problems aren’t limited to SS7, with these legacy flaws also present in newer 4G networks, plus new vulnerabilities may have been introduced. Mobile communications cannot be allowed to remain vulnerable. People and industries will continue to use and depend on these communication networks and we all need to work together to find a way to make these networks robust and secure, to stop exacerbating the problem in the future.”

Recognising the risks of SS7 manipulation, the National Institute of Standards and Technology (NIST- the US federal technology agency that works with industry to develop and apply technology, measurements, and standards) is no longer recommending two-factor authentication systems that use SMS. In the latest draft of its Digital Authentication Guideline it advised that:
'Out of band authentication using SMS is deprecated, and will no longer be allowed in future releases of this guidance'.

Positive Technologies’ security analysis examined the SS7 networks of various operators ranging in subscriber base from sub 10 million and in to the 10s of millions of subscribers and found all were exploitable. With multiple SS7 vulnerabilities and equipment configuration errors, these flaws offer a wide surface for a potential attack.

Its analysis showed that each and every SS7 network tested was susceptible to multiple attacks (nine on average). Many had more than three vulnerabilities that could be exploited due to an inability to check whether a subscriber belonged to a particular network. In most cases these flaws are actually critical to the systems functionality.

As expected, small mobile operators were less protected against outsider threats. However, even the leading cellular carriers were unable to provide a sufficient level of security, and the percentage of successful attacks was significant in all cases. The study found that 80% of DoS attacks, 77% of leakage attacks, and 67% of fraudulent actions were successful.

Mr Mathews concluded: “Obtaining access to the SS7 network is relatively easy. For example, an attacker can purchase access through the black market for several thousand dollars or even obtain an operator’s license in countries with lax laws. A rogue engineer, that works within an operator, may abuse their access to SS7 connections - typically via a laptop with specialist software installed or perhaps a raspberry PI device.

"In order to reduce risk, operators must employ a global approach to SS7 protection. At a minimum this means conducting regular security audits of the signalling network and developing appropriate measures to mitigate risk based on vulnerabilities as they evolve. Just as users expect their voice calls to be clear and their internet connection reliable, their communications should also be secure as standard.”


* required field

Post a comment

Other Stories
Latest News

QinetiQ helps UK electricity sector prepare for cyber-attacks

QinetiQ (Lead Exercise Integrator), with strategic partner Inzpire, working in partnership with the National Cyber Security Centre (NCSC) and the Department for Business, Energy and Industrial Strategy (BEIS), has successfully

Mettis Aerospace supports WBA’s Wi-Fi 6 infrastructure trials

The Wireless Broadband Alliance (WBA), the body leading development of next generation Wi-Fi services, today confirmed the successful completion of its phase one trial of Wi-Fi 6 infrastructure and services at the Mettis Aerospace

World’s first ISO approved drone safety standards announced

Today the world’s first ISO approved drone standards have been announced by the International Organisation for Standardisation (ISO) following a 12-month period of consultation with drone professionals, academics, businesses and

Permali Gloucester to protect Royal Navy’s Mk4s

Permali Gloucester Limited has been contracted by Leonardo Helicopters to supply a comprehensive ballistic protection solution for the Royal Navy’s new Commando Merlin Mk4 helicopters.

Peli releases Mobile 0450 Tool Chest GEN 2 with robust drawers

Designer and manufacturer of protective cases and lighting systems, Peli Products, has revealed its new Mobile 0450 Tool Chest GEN 2.

United Airlines orders 50 A321XLRs

United Airlines has placed a firm order for 50 Airbus A321XLR aircraft as it begins to phase out older models and launches an expansion of transatlantic routes from its key US hubs in Newark/New York and Washington DC.

ODU 0201311219
See us at
VIDSE BT1605060320FIL20BT010819260720S&P BT241019040320AMAS BT0312270220