Signaling for change: can the latest SS7 exploits lead to a more secure mobile future?
The revelation that US Congressman, Ted Lieu, consensually had his phone hacked by a German security researcher on the current affairs TV show 60 Minutes caused ripples throughout the world and telecoms media in particular. That it was possible to record conversations and monitor any movements seems to have taken the world by surprise, but those in the industry have known about these issues for some time.
SS7 has undeniably been a huge success in ensuring interoperability of the world’s telephony systems. It has also facilitated the worldwide explosion of mobile connections, of which there are now 7.7 billion and counting. However this is not the first time that the SS7 protocol was caught in the spotlight.
It is hardly surprising that a system developed over 40 years ago would be strewn with security holes. It is unlikely the system’s architects could have envisioned just how widespread it would become and the variety of types of data and connections the protocol would handle, let alone the security and privacy risks this would in turn create.
The ubiquity of the GSM system, and the backward compatibility of subsequent generations of mobile technology mean that, for the time being at least, the protocol will continue to be a part of our daily lives. Phasing out of the technology has long been mooted, but no one has yet managed to pin down a realistic timeframe as to when this might be.
Which is why mobile operators have some serious questions to answer. How, in 2016, a number of years after vulnerabilities had originally been exposed, that a high ranking public official in the world’s most developed economy was able to be hacked in such a way?
The Edward Snowden revelations in 2014 demonstrated that eavesdropping and monitoring cellular activity was possible. Research that followed from P1 Security as well as Security Research Labs and Sternraute demonstrated what these potential vulnerabilities were, and how they could be exploited.
Mobile operators have no excuse now not to protect against these known vulnerabilities. For example, the MAPScreen module for HAUD’s SS7 Firewall can be used to to monitor and control subscriber Location Management commands such as ‘update location’, ‘provideSubscriberInfo’ and ‘AnyTimeInterrogation’. These operations can be used to track subscriber location data, and if HAUD’s controls were implemented it could have prevented the Congressman’s whereabouts being revealed.
HAUD has a proven track record in identifying and blocking other types of SS7 fraud such as spoofing and faking on their clients’ networks. HAUD’s SS7 Firewall monitors and validates network activity in real time, ensuring that fraudulent traffic is immediately blocked. This not only protects subscribers from being victims of unsolicited fraudulent activity, it also frees network resources by eliminating the unwanted traffic as well as potentially opens up new revenue streams by forcing content providers to use legitimate channels for their traffic.
There are no longer any excuses for networks not to protect their subscribers. It’s only a matter of time before fraudsters and criminals begin to use these exploits to target ordinary people, and we know that this is happening already in some instances.
Findings of the HAUD sponsored Telecoms.com Intelligence Annual Industry Survey revealed that 84 percent of telecoms industry professionals believed SS7 security was an important issue. HAUD has the technology to help MNOs act on this concern and protect their subscribers from these vulnerabilities. With the SS7 Firewall now available as a managed service, it has never been easier to implement a bespoke mobile network security solution without significant CAPEX investment.
With growing prominence in the mainstream media, SS7 exploits are likely to become a key concern for subscribers. This could be the wake-up call the industry needed as operators look to avoid long term reputational damage and stay in control of both their network and their customers’ experience.