SS7 - A world of endless possibilities

SS7 – A world of endless possibilities

The signaling system number 7 (SS7) was defined by ITU as the communication protocol among mobile operators, when they were switching from analog to digital networks. Everything was circuit-switched. The internet was probably known by only a few people those days. SS7’s purpose was to put the call control aside from the call itself so things like blueboxing weren’t possible anymore. SS7 is also a packet switched network and its original purpose was call control, but it got extended over years with a lot of add-ons. Intelligent Network triggers are used to look up routing information of 800 numbers. Cnam is used in the ANSI variant to look up caller names. However, the most prominent use nowadays is for roaming and SMS exchange between mobile operators.

When GSM MAP, the part of SS7 used between mobile operators, had been designed and implemented, SS7 was a closed network. Only national operators used it on their own infrastructure. Nobody else had access. It was a sole provider in a monopolistic environment exchanging information with another sole provider in another country. There was no competition. Nobody had reasons to distrust the roaming partner. However, things have changed over the last 25 years. There are multiple competing operators in most countries. There are 3rd parties providing value added services connected to these operators. SS7 however remained as it was. Zero security. Zero certification. Zero alterations from the initial design.

So what are the dangers? Somebody could send an SMS pretending to be you? Not scary enough? What if this someone ordered a paying premium rate service and you pay for it? Injecting a packet into the SS7 network is all it takes. The SMSC accepts it and delivers it to the destination. There would be no hacking if your phone number had been required. What if someone redirects you phone to some premium rate number and then keeps calling your number? You would pay for the redirection. What if someone tells the system that you are roaming in an offshore country while logging into your bank account and receiving your SMS verification PINs? What if a SIM is roaming and is out of credit and the attacker instructs the systems that there is plenty of credits left so the attacker can call for free anywhere on the operators costs?

These scenarios are not theoretical. They do exist and they have been implemented.

What do mobile operators do? They add packet filtering systems. They are effective enough to deal with the simple attacks, but context information is needed to disallow or allow certain packets. For example, if a user is roaming currently in New York, it’s impossible to send an SMS from Moscow 2 minutes later. Roaming is impossible simply due to the fact that no-one could travel that fast!

SS7 is at the core of the mobile networks and it cannot be replaced easily, nor quickly. The protocol is intensively used daily and it can’t be altered overnight. So to mitigate the threats, it is essential to acknowledge the attacker and its intentions, and then, implement intelligent ways to filter in the right context. A smart SS7 firewall which adapts to the threats. One which can learn and document potential threats and in most cases blocks them or alerts the operator to let him decide.

This is what we are working on at AMD Telecom. Protect the operator and the end-user from frauds, spies, stalkers, spammers, etc.


Author: Andreas Fink, Director of Signaling department at AMD Telecom

LinkedIn: afink / Twitter: @kiwi66