Access to SS7 signaling networks via radio subsystem - now it is possible

Image: Pexels

We (and not only) have been talking about the security of SS7 signaling networks for a long time, but still there is a lot of skepticism: “no one can get access to SS7”, “even if someone gets access to SS7 and begins to conduct illegitimate activity, it will be immediately blocked in the source operator "and even" GSMA will monitor everyone and, if anything, give a blow to the head of the one who does it. "
')
However, in practice, in security monitoring projects, we see that attackers may have been connected to the SS7 network in the depths of one operator for years. Moreover, attackers do not wait until their connection is detected and blocked in one source operator, they simultaneously look for (and find) connections in other operators, and can work in parallel on one target from several places at once.

Until recently, we, and other companies involved in telecom security, considered the following intruder models in signal networks (in order of probability):

• violators who gained access to signaling networks through an insider in a telecom operator;
• violators controlled by government agencies;
• violators who gained access to signaling networks through hacking by a telecom operator.

The existence of violators who actually hacked into the network of a telecom operator is usually the least likely. Hacking the mobile operator through the radio access subsystem with further access to the signaling network is considered almost impossible at all. Now we can say: such a hack was considered almost impossible (just so, in the past tense), because at the information security conference Hack In The Box, which had just ended in Dubai, a group of researchers showed that an attacker could get access to the SS7 network, hacked into a mobile operator through its own radio interface.

Attack pattern

When a subscriber connects to the mobile Internet, his IP session is tunneled from the subscriber device, be it a smartphone, tablet or computer connected via a modem, to the GGSN node (in the case of a 2G / 3G network) or to the PGW node (in the case of an LTE network ). When an attacker installs a packet session, he can scan the border node to look for vulnerabilities, finding and exploiting which he is able to penetrate deeper into the operator's IP backbone network.

Once inside the perimeter of the mobile operator, the attacker must find platforms that provide VAS services and are connected to signaling networks. In the example presented by the researchers, this was the RBT (Ring-Back Tone) platform, which plays the melody instead of the beep. This platform had a connection via SS7 signaling channels with HLR and MSC nodes.
The network engineers who installed and exploited the RBT platform did not pay enough attention to its security, considering, apparently, that it is located within the operator’s perimeter. Therefore, researchers were able to relatively quickly gain access to the system and upgrade their rights to the root level.

Then, having administrator rights on the RBT system, the researchers installed open source software designed to generate signaling traffic. Using this software, they scanned the internal signaling network and obtained the network environment addresses — HLR and MSC / VLR.

Now, knowing the addresses of network elements and having the ability to fully control the network element connected to the SS7 signaling network, the researchers obtained the IMSI identifiers of their phones, which were used as test victims, and then their location information. If malefactors similarly got access to a signaling network, they could attack any subscriber of any mobile operator.

What is the problem

In order to start defending, you need to understand exactly what the problem is, which made the attack that was previously considered unrealizable possible. The answer is simple: the problem is in multiple vulnerabilities, mainly caused by hardware configuration errors.

Technical progress, the benefits of which are new services, also brings new vulnerabilities. The more services the operator provides, the greater the responsibility of engineers when setting up equipment. A large number of technologies require a more serious approach to their use, including in terms of information security. But, unfortunately, they do not understand this everywhere.

How to protect

In conclusion of their report, the researchers gave mobile operators a number of recommendations on how to avoid such hacks by real offenders. First, it is necessary to carefully configure the internal IP backbone network, conduct traffic segregation, bind services to the appropriate network interfaces, limit the availability of network elements from mobile devices and from the Internet, and not use default passwords. In other words, all network elements of an IP network must comply with standards and security policies. To do this, Positive Technologies recommends using the MaxPatrol 8 solution, which will help scan the network elements of the internal network and find vulnerabilities before the attacker does.

Secondly, you need to use active means of protection of signaling networks, such as the SS7 firewall. The solution of this class will prevent attacks on the signaling network from the outside, as well as attacks from the mobile operator’s network in relation to other networks - if the attacker still managed to gain unauthorized access to the signaling network through the radio subsystem or the Internet.
And thirdly, it is imperative to use a security monitoring system for signaling traffic and intrusion detection in order to detect attacks in time and be able to quickly block a malicious node.

By the way, the PT Telecom Attack Discovery detection and response system does an excellent job with the last two tasks.

Our research on SS7 network security:

• SS7 vulnerabilities and attack exposure report, 2018
• Primary Security Threats for SS7 Cellular Networks 2016

Author : Sergey Puzankov, security expert for telecom operators, Positive Technologies