Signaling System No 7 (SS7) is a system that connects one mobile phone network to another. SS7 is a suite of protocols that were standardized in ITU-T Q.700 series. New protocols to support additional services such as roaming, Short Message Service (SMS), and data. As with many legacy technologies, SS7 was designed with little security. Concepts such as authentication and authorization were hardly present or discussed. The SS7 security was solely based on trust. The protocol was regarded as a closed network, and researchers had no access to SS7 networks. However, the SS7 network is no longer closed. Network providers are opening up their SS7 networks to third parties as part of their commercial offerings.
This legacy technology has vulnerabilities. Malicious actors can exploit the vulnerabilities which was brought to attention in 2010 and still exist today. The actors can transparently forward calls, record or listen to calls, read SMS messages sent between phones, and track the location of a phone. The attack surface is vast. There are over 800 cell phone networks around the world, each with roughly 100 to 200 interlocking roaming agreements with other networks.That means virtually every cell phone network is interconnected allowing hackers to potentially tap any phone regardless of location.
Since the exposure of security holes, some organizations have setup a series of services that monitor abuses of the networks and employed security contractor researchers to perform analysis of the SS7 systems in use to try and prevent unauthorized access. The main risk to users are their privacy of listening voice calls, text messages, and tracking people and their habits from the criminal hacker to government surveillance. However, there are other dangers like interception of two-step verification codes that are often used as a security measure when logging into email accounts, banks, or other secure institutions to verify a user’s identity.
For an attack to occur, the bad actor sufficiently know how to build a node to emulate that of a mobile operator. To access an SS7 network, attackers can acquire an existing provider’s connection on the black market and obtain authorization to operate as a mobile carrier in countries with lax communications’ laws. In addition, any hacker who happens to work as a technical specialist at a telecommunications operator, would be able to connect their rouge equipment to the company’s SS7 network. In order to perform certain attacks, legitimate functions of the existing communication network equipment must be used.
There are multiple attacks and how these attacks can be accomplished. This post will only provide an example of intercepting SMS. However, the Signaling System 7 Security Report from Positive Technologies and The Fall of SS7 - How Can the Critical Security Controls Help in the SANS Institute InfoSec Reading Room are a great resource for in-depth look at the attacks.
Intercept SMS Attack:
The updateLocation message is used to update the subscriber’s location in the network. It informs the network of which Visitor Location Register (VLR)/Mobile-services Switching Center (MSC) the subscriber is currently connected to. Using a fake updateLocation message the attacker claims that the victims mobile station is connected to their MSC. In this case, the subscriber SMSs will be forwarded to the attacker’s SMS center to be delivered to the MS. In addition to intercepting personal SMSs of the target, this attack can be used against authentication systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could lead to the compromise of the target’s identity.
Glossary:
The Mobile-services Switching Center: constitutes the interface between the radio system and the fixed network. It performs all the needed functions to handle the circuit switched services to and from the mobile stations. The MSC usually consists of two systems: the MSC server, responsible for the signaling, and the media gateway (MGW) handling the user traffic.
The Visitor Location Register (VLR): is a database of the subscribers who have roamed into the jurisdiction of the MSC which it serves. When a Mobile Station (MS) enters a new location area it starts a registration procedure. An MSC in charge of that area notices this registration and transfers to a Visitor Location Register the identity of the location area where the mobile station is situated. If this MS is not yet registered in the VLR, the VLR and the HLR exchange information to allow the proper handling of CS calls involving the MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC.
References:
Gibbs, S. (2016). SS7 hack explained: What can you do about it? Retrieved April 26, 2016, from https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls
Bennett, C. (2016). Serious weaknesses seen in cell phone networks. Retrieved April 26, 2016, from http://thehill.com/policy/cybersecurity/277329-serious-weaknesses-seen-in-cell-phone-networks?utm_medium=email
Mourad, H. (2015). The Fall of SS7 – How Can the Critical Security Controls Help? Retrieved April 26, 2016, from https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
Positive Technologies. (n.d.). SIGNALING SYSTEM 7 (SS7) SECURITY REPORT. Retrieved April 26, 2016, from http://www.ptsecurity.com/upload/iblock/083/08391102d2bd30c5fe234145877ebcc0.pdf