Home » Blog » 8 SS7 vulnerabilities you need to know about

Brendan Cleary October 20, 2015

8 SS7 vulnerabilities you need to know about

Wow, SS7 has been in the network controlling wire-line and wireless calls since the mid 1980s
and now we are talking about its vulnerabilities. A lot of people think we should only be focused
of the evolution to LTE/EPC Diameter based networks however; the legacy SS7 protocol based
networks serve the vast majority of wireless subscribers. Current indications are SS7 will be
around for quite some time and as such any vulnerabilities should be addressed immediately.
Before we can address these threats we must first understand them and how they are even
possible given the longevity of the network and protocol. The topic of discussion in this post will
be limited to those threats that are directly related to subscribers. Additional threats such as
denial of service against networks elements such as Mobile Switching Centers will be discussed in
subsequent posts.

In this discussion I will group these 8 threats into 4 broad categories so the impact to the
subscriber and ultimately the network operator can be easily determined. These categories are:

Obtaining Subscriber Information

Eavesdropping on subscriber (SMS and calls – incoming and outgoing)
Financial theft
Disruption of subscriber service
This post is merely an overview of these eight threats, during the research for this post and the
associated eBook “SS7 Vulnerabilities” I quickly found my mind wondering mind — I was able to
take these threats and extend them and the knowledge gained and come up with many more.

Note: In my of experience with the SS7 protocol and network, I have never seen
access to the network, technical protocol and network information, and protocol
message generation capabilities as easy and inexpensive to obtain.

Obtaining Subscriber Information

The information gained in the threats associated with this category open the door to the
remaining threats discussed in this post. Additionally, this information can be used by the attacker
or sold on the open market as a source of revenue. There are two types of information gained in
this category: the International Mobile Subscriber Identity (IMSI) and the location of the
subscriber whether at home or roaming.

Vulnerability 1. Obtaining the Subscriber IMSI

The IMSI uniquely identifies a subscriber within the mobile network. Since the IMSI can lead to
other threats it is not transmitted over the “Air Interface” rather a randomized Temporary Mobile
Subscriber Identity (TMSI) is used over the air. However, if an attacker is able to obtain the TMSI
over the air interface and has access to the SS7 network, all they have to do is use the SS7
protocol and ask what the IMSI is that is associated with the TMSI. Enough said about the TMSI
and the air interface – we are going to focus on the SS7 protocol and messaging for this
discussion. An attacker can use the SS7 Mobile Application Part (MAP) and its normal procedure
for delivering a text message to a subscriber to obtain the IMSI. Once the attacker knows the
IMSI, due to its format they also know the home country where subscriber resides and their home
mobile network operator. All the attacker had to have is the telephone number of the target
subscriber, access to the SS7 network, and a little knowledge about the target subscriber’s home
SS7 network – all of which are readily available.

Vulnerability 2. Determining the subscribers location

There are at least two SS7 methods for determining a subscriber’s location within the global
mobile network. The first utilizes a message and procedure known as Any Time Interrogation,
which would return the subscribers location parameters. However a large number of network
operators have stopped their equipment from responding to these messages. In the next
procedure the attacker poses as a Fake Home Location Register and uses the normal MAP
messages and procedures known as Provide Subscriber information. The information received
from this process yields the Cell ID, the Mobile Country Code (MCC), Mobile Network Code
(MNC) and the Location Area Code all related to the target subscribers current location.

Eavesdropping on subscriber calls (incoming and outgoing)

There are three vulnerabilities in this category that would allow the intruder to listen to or record
a subscribers conversation on incoming/outgoing calls or to intercept and or modify incoming text
messages to a target subscriber. Each of these attacks could be performed without the knowledge
of the target subscriber. The initial information required by the intruder is the mobile telephone
number of the target subscriber, some knowledge of the target subscriber’s home network, and
access to an SS7 network. The remainder of the information required can be accessed from the
network using the initial information. Also the attacker can be located anywhere in the world –
they do not have to be part of the target subscribers network.

Vulnerability 3. Intercepting and monitoring an outgoing call

This is a multi-stage attack where the attacker poses as different mobile network elements to
implementing different scenarios at each stage. This threat uses the Customized Applications for
Mobile networks Enhanced Logic Application Part (CAP) protocol and logic that allows network
operators to define services over and above the standard Global System for Mobile
communications (GSM) and Universal Mobile Telecommunication Systems (UMTS) standard
services. The CAMEL logic and network is based on the SS7 Intelligent Networks (IN) used in
wire-line networks. In this threat the intruder has the outgoing call routed to their
bridging/monitoring/recording system and then places a second call leg to the original callED
party and subsequently bridges the two call legs together with the intruder being the “Man in the
Middle”.

Vulnerability 4. Intercepting and monitoring an incoming call

This threat uses the SS7 MAP messaging and procedures for an everyday subscriber call
forwarding feature, however, it is activated at the SS7 level without the target subscriber
knowledge. This vulnerability like the one described in “Intercepting and monitoring an outgoing
call” is a multi-staged attack. It also uses a bridging/monitoring/recording system to bridge two
calls together. The intruder call forwards (at the SS7 MAP Message level) the target subscribers
calls to their bridging/monitoring/recording system. The intruder then cancels call forwarding (at
the SS7 MAP Message level) then places a second call leg to the original callED party. The
intruder bridges the two call legs together with their bridging/monitoring/recording system all
without the knowledge of either party involved in the call.

Financial theft
Vulnerability 5. Intercepting a subscribers SMS (Text) Messages
The premise for this attack is — the intruder will pose as an MSC/VLR and send MAP-Update-
Location (UL) Request message directly to the subscribers HLR. Upon completion of this
procedure SMS messages will be sent to the intruder acting as a Fake MSC serving the target
subscriber. This attack can be used to obtain target subscribers passwords, reset passwords and
once the passwords are reset the intruder has Carte Blanche to the target subscribers accounts.

Vulnerability 6. Manipulating USSD Request

Unstructured Supplementary Service Data (USSD) is currently being used for mobile prepaid,
online banking and other financially sensitive applications. Fraud linked to USSD can cause severe
financial impacts to subscribers, network operators, financial institutions and many others. In this
multi-staged attack the intruder first poses as a Short Message Service Center (SMSC) to obtain
the Global Title Address (GTT) of the target subscribers Home Location Register (HLR), the IMSI
of the target subscriber and the current serving Mobile Switching Center (MSC). In the next stage
the intruder poses as an MSC acting on behalf of the target subscriber and requests the
subscriber current account balance. After receipt of the account information the intruder poses as
the MSC acting on behalf of the subscriber and requests a transfer of funds from the target
subscribers account to the intruders account. Normally an SMS message is sent to the subscriber
indicating the transfer however if this attack is coupled with “Vulnerability 5. Intercepting a
subscribers SMS (Text) Messages” then the SMS never reaches the target subscriber.

Disruption of subscriber service

The two vulnerabilities described in this section can be used to interrupt service to any subscriber
or to activate or change billing, thus enabling fraudulent calls to be made from the mobile station.
Either of these scenarios can cause a significant financial impact on the mobile network operator.
One for pure fraud and the other for subscriber churn due to a perceived lack of service.

Vulnerability 7. Disruption of subscriber availability

In this attack the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request
message directly to the subscribers HLR. Once the Update Location procedures are complete the
Subscriber will not be able to receive incoming messages or calls until they move to another
MSC/VLR or reboot the phone or place an outgoing call. These procedures are part of the normal
mobility management when the subscriber moves to a new area served by different MSC. The
intruder spoofs the network into believing that they are the new MSC.

Vulnerability 8. Manipulating a subscribers profile in the Visitor

Location Register (VLR)
Any time an intruder has access to the subscriber identity (MSIDN, IMSI) the address of the
serving (MSC/VLR) and the format of the subscriber profile they can alter billing routing allowing:

Disruption of the subscriber service

The use of the subscriber’s mobile station to make fraudulent calls.

In this attack, the intruder poses as an HLR and sends a fraudulent subscriber profile to the
serving MSC/VLR invoking intruder desired services. These services can include:

Bypassing billing services

Turning on or off call forwarding
Barring calls to the target subscriber
And many, many more

Conclusion
As you can see by the examples provided in this blog – vulnerabilities and fraud within the SS7
protocol and network is a very serious issue. Some might say, “Let’s change the protocol and
network” — that cannot happen for many reasons as discussed. The solution to these protocol
and network issues is to place a security firewall into the network. This firewall should include the
policies required to address the current defined threats and be easily modified to address future
threats, as they are found. In order to accomplish these tasks the SS7 signaling firewall should
have real-time monitoring capabilities to help detect defined and future threats.

Categorised in: Blog

Brendan ClearyOctober 20, 2015

Recent Blog Posts

Flash calls: a new threat to MNOs
February 16, 2024

Cellusys Streamlines Sponsored Roaming with the support of Thales

October 12, 2023

We are the Champions! – Kaleido 2023

October 10, 2023

Cellusys and RoamsysNext Automate IR.21 Data Updates within Steering of Roaming System
October 6, 2023

Telecom26 selects Cellusys for Mission Critical Steering of Roaming

October 3, 2023

Recent News
Flash calls: a new threat to MNOs
February 16, 2024

Cellusys Streamlines Sponsored Roaming with the support of Thales

October 12, 2023

We are the Champions! – Kaleido 2023

October 10, 2023

Products

Roaming
Signalling Security
 Analytics

Services

Managed Security
Global Threat Intelligence
Penetration testing
Managed A2P SMS

  

Associate Member
© 2024 Cellusys All rights reserved
Privacy Policy