Questions and Answers from the MWL webinar SS7 Vulnerabilities (part 1)

It’s been more than a week since our webinar about SS7 Vulnerabilities went live so we’ve taken the time to answer all the questions we ran out of time to answer live at the Q&A
session.

As we mentioned in the wrap up post the number of questions was way too big to answer all of them comprehensively during the live session. That’s why we decided to answer almost all of them on our blog. Now we say almost all as some of them contain quite sensitive information which we wouldn’t like to expose.

All the questions have already received an individual answer from Kevin Panzavecchia. But also because the questions which have been asked are very often the questions popular during our meetings with people interested in SS7 security we decided to publish some of them here.

Let’s get to the point. Actually, points.

Q: Dear all, please give us concrete example of vulnerability which can occur in the core network and Camel specially (free call charging)

A: When CAMEL is used for charging, during call setup for every call, the CAMEL Service Control Function is used to determine if the subscriber has enough credit to perform the call. This means that if the fraudster managed to point the subscriber to a fradulent machine acting as SCF, he can completely control the call setup for the subsciber’s calls, including call charging.

Q: How many more years do you envisage SS7/SIGTRAN will be used by operators, taking into consideration 4G/IMS/VoLTE growth and 5g on the horizon?

A: Newer technologies such as forexample LTE use IP-based DIAMETER protocol as a replacement for SS7, however operators implementing LTE will probably do so in parallel with SS7 for the forseeable future. Telecoms operators may experience chalanges in adapting fast and new technologies. This is due to various factors, such as previous investment in older technology, security and stability concerns. Even when an operator introduces new technologies to its network, older technology is often still kept in use in order to cater for older handsets that might still be in use by the MNO’s subscribers. Of course, exact predictions are hard to come up with., however, it seems clear that even though techologies such as LTE and VoLTE have been available for some time, SS7 will probably still be a fact of life for a good number of years to come. Newer technologies such as forexample LTE use IP-based DIAMETER protocol as a replacement for SS7, however operators implementing LTE will probably do so in parallel with SS7 for the forseeable future. Telecoms operators may experience chalanges in adapting fast and new technologies. This is due to various factors, such as previous investment in older technology, security and stability concerns. Even when an operator introduces new technologies to its network, older technology is often still kept in use in order to cater for older handsets that might still be in use by the MNO’s subscribers. Of course, exact predictions are hard to come up with., however, it seems clear that even though techologies such as LTE and VoLTE have been available for some time, SS7 will probably still be a fact of life for a good number of years to come.

Q: Are the STP providers (such as Tekelec/Oracle) implementing the SS7 Firewall?

A: Some STP providers do provide SS7 firewall features with their products, however these are usually relatively basic and do not offer the full breadth of functionality that a dedicated SS7 firewall provider can supply.

Q: How long will SS7 be around for? Are there any more secure replacements on the horizon?

A: Newer technologies, such as for example LTE, use IP-based DIAMETER protocol as a replacement for SS7, however operators implementing LTE will probably do so in parallel with SS7 for the forseeable future. Telecoms operators may experience challenges in adapting fast and new technologies. This is due to various factors, such as previous investment in older technology as well as security and stability concerns. Even when an operator introduces new technologies to its network, older technology is often still kept in use in order to cater for older handsets that might still be in use by the MNO’s subscribers. Of course, exact predictions are hard to come up with. however it seems clear that even though techologies such as LTE and VoLTE have been available for some time, SS7 will probably still be a fact of life for a good number of years to come.

Q: In North America we normally don’t have direct connection to other MNOs, instead we connect through a SS7 hub like Syniverse. Are all these threats also applicable in this case?

A: This depends on what kind of services and connections are provided by the hub, however the same threats could still potentially apply. One needs also to keep in mind that operators usually have multiple SS7 Hubs and direct domestic connectivity. This implies that for comprehensive protection all such entry points needs to be secured.

Q: How do IT Security do the penetration test on SS7 network? Since it is different with IP based, how do they check their network if they are already secured?

A: There are various techniques used to analyse a network for security flaws. Most of these are variants of the same techniques used in IP pentesting. Network penetration testing is a large topic, however there are well trusted companies specialising in telecoms secuity that provide penetration and vulnerability testing as a service to operators.

Q: How much time you have before the cyberattack has been released?

A: Such SS7 threats have been there since day one and are still present today. The deployment of an active SS7 FW would prevent such attacks from happening in realtime and as soon as such attacks are being be performed.

Q: Are there any additional methods of protecting SS7 networks apart from SS7 firewalls?

A: As has been discussed during the webinar the inherent issue with SS7 threats is mostly due to external threats originating from the fact that this protocol is no longer in use by a closed user group. An operator can detatch itself from being connected to external entities but this is hardly an option for the absolute majority of MNOs.
The more realistic approach for MNOs is to have the right SS7 firewall with regular Network Penetration Testing as an additional method to ensure that the MNO is protected agaianst SS7 threats.

Q: Could you talk a little about the threat actors in SS7 and a network operator’s ability to protect against each type?

A: Given that telecommunications networks are much more open nowadays than they used to be, threats can come from a huge variety of sources. These can vary from rogue operators looking to save costs, to fraudulent employees to aggregators to calling-card providers who use Sim boxes to bypass international and interconnect charging to lone hackers who gain access to the SS7 network via illicit means (hacking a femtocell, gaining access to a base station etc.). Every separate source of fraud potentially needs to be considered as a distinct use-case, however having a solid SS7 firewall in place that guards against the known vulnerabilities inherent in ss7 goes a long way to either prevent or severly limit the damage that can be done if the network is breached in any way. Apart from firewalling at the SS7 level, a comprehensive protection system might also apply various high-level algorithims to detect other, kinds of illicit activity on the network. For example, spam detection is often performed using various machine learning techniques. Similarly Sim box detection is usually performed in either an active fashion, through the use of ongoing test calls, or passively, either through real-time analysis of network traffic or analysis of Call Data Records generated by various network elements on the operator’s network.

Q: Hello Kevin, Who was the guy, who demonstrated the vulnerability of SS7 network – in a live TV show – and was showing how easy is the interception of call and SMS? Is this video available on youtube?

A: The person you are referring to is Karsten Nohl and the TV show is “60 minutes”. He is the managing director of Security Research Labs and an active contributor in GSMA security forums. The video is available on Youtube and easily found.

Q: There was a talk at blackhat event in US couple of months ago by P1 Security regarding an SS7 firewall and also a Diameter firewall. Did you have the chance to have a look at the features of it? and what do you think about the measures in regards to more sofisticated special attacks?

A: The talk by P1 security described their release of an open-source SS7/Diameter firewall, with a view to make it easier and cheaper for operators to secure their networks. We applaud P1 Security for taking the initiatitive to produce their reference implementation of an SS7 firewall. While their implementation is not meant to be deployed live by an operator, it can serve as a baseline to which to compare other commercial firewalls.

If you wish to watch the replay of the webinar and the Q&A session with Kevin Panzavecchia, CTO at HAUD you can do so on the MWL website by simply registering yourself (name and email address required).

Read also Questions and Answers from the MWL webinar SS7 Vulnerabilities (part 2)

Error: Contact form not found.