Signaling Network Vulnerabilities and Protection Management Strategies

Signaling Network Vulnerabilities and Protection Management Strategies

Loopholes in the SS7 signaling protocol are being used to steal money, listen in on conversations, monitor messages, determine a subscriber’s location, manipulate network and subscriber data, and generally disrupt services impacting mobile security and subscriber privacy. And potential threats to the SS7 network are coming from many sources including national security agencies, fraudsters, and hackers with ill intent. It is clear that operators are facing an increasing pressure to protect subscriber privacy. 

Exposing subscriber and operator SS7 vulnerabilities

SS7 Signaling is the central nervous system of the mobile operator’s network with mission-critical real-time data on subscriber identity, status, location, technology and servicing network elements. This enables the authentication of subscribers and their devices, performs call setups, authorizes charging, enforces data policies, manages quality of service, and enacts roaming or interconnection agreements. Gaining access to this information and using it for commercial purposes in acceptable ways can be very valuable in the right hands. Or, it can be very risky if used by the wrong people in unacceptable ways.

Someone with the right technical skill and malicious intent can now exploit the mobile network and its subscribers, through simple network manipulation.  SS7 exploits that take various forms include:

• Obtaining the mobile subscriber’s confidential identity (IMSI)

• Determining subscriber’s location

• Blocking a subscriber from receiving incoming calls and text messages

• Intercepting a subscriber’s incoming SMS messages.  This includes the ability to send a confirmation message and alter the subscriber’s message 

• Sending a request to transfer funds between a subscriber’s accounts

• Manipulating the subscriber’s profile to bypass billing

• Redirecting the incoming calls

• Denying the incoming calls

These attacks can be used to steal identities, steal money, listen in on conversations, monitor messages, determine a subscriber’s location, manipulate network and subscriber data, and generally disrupt services.

With this security issue being new to the industry and actual exploits only now being exposed as knowledge and understanding develop, the impact of these threats could be devastating to the mobile network operator.  Therefore, it is important to note that this list is likely to grow as the sophistication of attackers improve.

Solving the SS7 security problem

The mobile ecosystem has begun work to define recommendations, build and implement solutions to detect and prevent potential attacks. Operators need a solution that is easy to deploy yet comprehensive, and ideally one that overlays the existing architecture.  That means integration should be flexible eliminating the need and expense of redesigning the underlying signaling network architecture. The objective is not to merely block suspicious traffic but to use global threat intelligence and advanced analytics to secure the network against privacy and fraud attacks.

There are several layers of protection that need to be implemented to ensure complete protection.

  • Filter and control incoming MAP/CAP request received.
    SS7 MAP/CAP operation level control should prevent unauthorized usage of the network primitives revealing location and subscriber identity. This measure that often can be configured at the STP level is necessary but not exhaustive. The same interconnect elements originating legal MAP/CAP requests might still be used by the attacker as an entry point into the network. To efficiently address this aspect of fraud control, validation of requests should happen across all the layers of the SS7 stack.
  • Active validation of the originating entity
    For any suspicious operation received from outside of the network originated on behalf of own subscriber, the actual location (VLR/MSC) of the subscriber should be validated. This is known as an anti-spoof technique which is often used for mobile originated SMS messages; however there is a whole range of MAP/CAP operations where this technique should be applied.
  • VLR/MSC update validation
    The mobile nature of cellular communication assumes that subscribers are on the move. At the same time, it is physically impossible that the same subscriber will be appearing in the different parts of the world within a short time period. When a roaming subscriber identifies itself in one European country (for example Germany), it is physically impossible that the same subscriber can appear somewhere in Asia or Latin America in the next ten minutes. Such a situation should definitely raise an alarm at the operator security department.
  • Detection of the unusual MSU sequences
    Various optimizations and multi-year staged expansions of the signaling networks has led to a number of non-standard interactions between various network elements. These types of interactions are usually abused by the attackers to create grey-routes and masking individual subscriber attacks.
  • Offline data analytics
    Though some of the attack techniques have been identified and can be disclosed using one of the measures mentioned above, it should be recognized that attackers will be exploiting more and more ways to break subscriber privacy or harm the mobile network. Therefore any unusual activity should be detected in near real-time mode using modern, big data analytical tooling. As a result of such analysis, the source of the potential suspicious activity can be identified enabling enforced control on discovered network elements or subscribers.

Therefore, simplistic IP firewall protection methods are not sufficient.  Instead, a comprehensive layer-distributed solution in the form of a signalling firewall is required.  The firewall should contain a powerful rules engine that enables screening of traffic by exposing parameters from all relevant SS7 stack layers for comparison and validation between each other and preconfigured parameters combined with the techniques mentioned above.  It must also address not only today’s threats but be capable of addressing those that are yet to come.  Ideally, the solution would provide an easy to use interface, real-time access to information, predefined and just-in-time filters, and underlying support from a world-class data engine. 

Given that mobile communications is a prime target for hackers who desire to penetrate critical infrastructures and businesses, operators need to be aware of the types of attacks and tools that are used by spammers, scammers and fraudsters, but also show how a network can be audited and protective measures put in place quickly before subscribers, organizations, and even governments fall prey to misuse and are severely impacted. It is imperative that the ecosystem work together to build these critically needed solutions and Xura, with it’s Security Fraud Management solutions, can put this protection in place.

To learn more about this topic, click here to access additional resources or contact us here to speak with a specialist.