Mobile networks around the world have been penetrated by criminals and governments via bugs in signalling code.
Security holes have been found in a technology known as Signalling System 7 (SS7), which helps to interconnect international mobile networks across the globe.
AdaptiveMobile has uncovered evidence of global SS7 network attacks causing damage to mobile operators around the world after partnering with mobile operators and networks to analyse and secure the SS7 traffic across their networks.
Exploits, including location tracking and call interception, are said to be rife. The study also uncovered evidence of attempted fraud, focusing on Europe, Middle East and the Americas.
The results are a serious concern but not entirely surprising. Flaws in SS7 have been known about for years and readily lend themselves to surveillance, both targeted and on a grand scale, allowing miscreants to tap into calls, read text messages and divert traffic.
In one well documented case, SS7 flaws were used to redirect sensitive conversations of targeted individuals on the MTS Ukraine network to a Russian mobile operator.
By contrast, SS7 is far more robust when it comes to the security and integrity of billing functionality. Even so, some studies have suggested SS7 loopholes can be abused to move credit between mobile accounts.
Attacks such as ”silent SMS pings" can be used to locate mobile phones anywhere in the world via SS7. With the right request it might be possible to trick a mobile network into handing over the crypto keys from any SIM/session. This rumoured – but unverified – capability would be restricted to the more capable intel agencies.
Details of SS7 vulnerabilities were publically revealed for the first time at the Chaos Communication Congress hacker conference in Hamburg last December. El Reg's story on the CCC presentation provides more info on how the ageing SS7 protocol works as well potential attacks.
AdaptiveMobile’s SS7 Protection service, launched in February 2015, aims to analyse and secure the SS7 traffic travelling through operator networks. The firm uses the combination of an SS7 Firewall, advanced reporting and threat intelligence to identify and combat threats. Sitting on the systems of 75 operator networks worldwide, AdaptiveMobile protects one fifth of the world’s subscribers, witnessing in excess of 30 billion mobile events every day, according to the mobile network security firm.
Unauthorised access to the SS7 network can cause significant financial and reputational damage to the operator community, according to AdaptiveMobile. Fraudulent roaming configurations can cost operators millions of dollars without any opportunity to recapture this revenue. Without appropriate preventative measures being put into place, operators are allowing adversaries to know exactly where a subscriber is at any given moment and to intercept and reroute device communications, listening to every call and reading every text message, the firm warns.
“Through our analysis of SS7 traffic we’ve detected numerous types of SS7 requests and responses being received and sent from one operator network to another,” said Cathal McDaid, head of AdaptiveMobile’s Threat Intelligence Unit. “From the Americas to MENA, Europe to APAC, the operator networks analysed have all shown evidence of suspicious SS7 activity. We’re working with operators to secure their networks as none are exempt from these types of attacks.”
Chris Wysopal, CISO and CTO at application security firm Veracode, commented: “The SS7 vulnerabilities are just another example of software-based systems that weren’t built for the rich interconnectivity and threats of the modern mobile infrastructure.”
“Development teams need to go into projects with the expectations that what they’re creating will live in a hostile environment where attackers will look to exploit vulnerabilities. We’ve seen this across every industry and it’s no surprise it’s occurring in the telco industry,” he added.
The potential for abuse for any group capable of breaking SS7 are rich, according to Wysopal.
“A core protocol like SS7 provides governments and rogue actors wide access to the world’s communications infrastructure making it an incredibly attractive system to break into,” Wysopal explained. “Until software developers change their approach and build security into their code from the start, we’re going to continue to see these problems.”
A worldwide map of SS7 international roaming infrastructure vulnerabilities – put together following an earlier study by telecom security specialist P1 Labs late last year – can be found here. China is among the countries with the worst security rating for SS7 security, alongside the likes of Uzbekistan. Somalia and Yemen as well as (more surprisingly) Bolivia and Greenland are also highlighted. ®