As with many legacy protocols, SS7 was designed with little security in mind. Concepts such as authentication and authorization were hardly present or discussed. The SS7 security was solely based on trust. The core network elements were built accordingly with little if any defenses against abusing SS7 functionalities. Being regarded as a closed network, very little security research has been done to assess the security of SS7. Security researchers had no access to SS7 networks, and service providers had little interest into looking at the topic.
But the SS7 network is no longer closed. Network providers are opening up their SS7 networks for third parties as part of their commercial offerings. Network elements such as Femtocells are leaving the closed boundaries of the operators and are based in untrusted locations; hackers may find their ways into the networks of mobile operators, and its needles to mention that some operators may be under the control of nation states with malicious intentions to abuse such unsecure networks.
Abusing SS7 insecurities can have a severe effect; the nature of the protocol allows access to information such as user location and call/SMS details. Financial services and authentication systems were built based on the trust of the services provided by such protocols. Denial of service attacks abusing those insecurities can be devastating to the telecommunication infrastructure of nations.
In the next sections, we will examine some of the attacks that were announced against SS7, in the hope of analyzing the missing controls and eventually propose some controls that can limit the effect of these attacks. These sections draw heavily on the work done by the security researchers Tobias Engel and Karsten Nohl in the areas of call and SMS interception, location tracking, fraud, and denial of service.
Call and SMS Interception
Intercepting communications has always been the ultimate target for any espionage operations. In the old days of wired phones, the attacker needed to physically tap into the wire to be able to listen to an ongoing call.
In the age of mobile communication, the call is transmitted over the radio between the calling parties and the mobile networks. Normally the traffic is encrypted over the air interface. The encryption is done using either A5/1 or A5/3 protocols. Recently the A5/1 suite has been broken and it is possible to decrypt the calls transferred over the air interface using cheap radio interceptors and rainbow tables (Nohl, Munant, 2010). As a
result, the operators started to roll out the stronger ciphering protocol A5/3 to combat such attacks.
Yet the recently disclosed SS7 vulnerabilities opened multiple venues that facilitate the interception of calls and SMS transmitted over the mobile network.