Signaling System Number Seven, or SS7, is a widely-used protocol that enables mobile operators’ subscribers to communicate with each other. At the heart of an operator’s network, SS7 contains highly important data such as a subscriber’s identity, status and location, providing the operator with the ability to manage communications and bill their subscribers for the services they use.
Exploiting loopholes in the protocol
Vulnerabilities in SS7 were being publicly discussed as far back as 2008 with telecom engineers warning of possible risks and top government officials raising concerns over its security. Their fears were confirmed when a German researcher demonstrated how the protocol could be used to determine a mobile phone’s location.
The issue didn’t gain any real public attention until 2013 though, when it was revealed that a government security agency had exploited SS7 vulnerabilities for surveillance purposes. Since then, a series of further incidents have demonstrated how unauthorized access to the network is not only possible but far simpler to achieve than once believed.
Loopholes in the SS7 protocol can be exploited to allow criminals to steal money, listen in on conversations, monitor messages, determine a subscriber’s location, manipulate network and subscriber data, and generally disrupt services.
Safety protocols around an SS7 network’s hosts and communications channels once involved physical security, making it almost impossible to obtain access through a remote unauthorized host. Nowadays, however, while the process of placing voice calls in modern mobile networks still relies on technology dating back to the 1970s, the deployment of new signaling transport protocols allow SS7 to run over IP. But, while this offers networks the advantages of greater bandwidth, redundancy, reliability, and access to IP-based functions and applications, it has also opened up new points of vulnerability.
Manipulating USSD commands
One of the ways in which attackers can take advantage of the SS7 vulnerability that is of considerable concern to many, is the manipulation of USSD (Unstructured Supplementary Service Data) commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.
USSD commands are widely used by subscribers in some markets as a means of communicating directly with the automated billing or payment services offered by mobile network providers or those partners offering monetary transactions and banking services.
Generally speaking, USSD is not a particularly secure protocol and for this reason is often implemented by operators separately from their actual financial services. For example, a bank balance request made using USSD will be delivered via SMS which, in isolation, isn’t of any real use to a criminal.
However, operating a call redirect or requesting additional services through USSD requires a sequence of commands to be sent to the USSD gateway over SS7, and so it presents an opportunity for fraudsters to compromise the protocol by exploiting the weakness in SS7.
With access to a global title, an address used for routing signaling messages, and access to the signaling network itself (i.e. SS7), an attacker can assume the identity of the victims mobile to send a USSD request from outside the network.
The most basic form of protection in this case would be to perform multi-layer validation on the signaling packet to confirm the actual identity of the point in the signaling network from which the requests originate. It’s worth noting, however, that in order to launch an attack using SS7 signaling attackers need to invest in acquiring their global title and SS7 connection. In order to get a good return on that investment, attackers will be quite inventive, exploring every potential hole that might exist in an operator’s security efforts.
A more reliable validation is advisable, therefore, to determine whether or not the USSD request has been authorized and sent by a legitimate subscriber.
Agile and flexible approach to security
While it may appear relatively fundamental for validations such as these to be implemented on the USSD gateway, the gateways themselves tend to be viewed by vendors as legacy systems, and therefore enjoy little in the way of development. SS7 equipment, for example, often runs just in maintenance mode, where these security mechanisms simply aren’t available.
Attackers act fast and operators need equipment and mechanisms that allow them to react faster, regardless of whether it’s USSD that’s being targeted or any other aspect of the network. An agile and flexible firewall approach to security is required so that operators know when a signaling attack is taking place, with rules in place to protect against it.
While the SS7 network is coming under threat from a growing range of sources, operators have a window of opportunity to become a more trusted provider by moving quickly to combat potential exploitation. By implementing a comprehensive solution that is powerful enough to secure all points of attack, not only not only blocking suspicious activity but also using advanced analytics to help secure the network against future attacks.
Hackers increasingly view mobile communications as a prime vector for exploiting personal information as well as penetrating critical infrastructure and businesses, with SS7 vulnerabilities providing the entry point they need. It’s critical that the mobile ecosystem works together to quickly implement new measures now before operators, subscribers and businesses are severely impacted.
Mobile operators and the industry at large are taking these issues very seriously. Under the lead of international association, the GSMA, a group of leading mobile operators and telecom vendors have united to develop preventive measures ensuring the security and consistency of signaling networks world-wide. In an approach designed to ensure the privacy of mobile communication, the majority of fraudulent scenarios have been researched and recommendations on increased network security have been issued.