SS7 Vulnerability Assessment and Mitigation in Telecommunication Network
Threats that can be posed by attackers exploiting security flaws in mobile networks are:
Subscriber privacy violation
Manipulate Network settings
Illegal interception of calls and SMS
Denial of service
Each listed threat represents reputational and financial risks for the operator. Fraud, traffic interception, and denial of service affect subscribers directly and may lead to significant financial losses, privacy violation, and availability disruption. Subscriber information disclosure means leakage of IMSI, disclosure of location or other data, such as account balance or profile details. Network information disclosure is fraught with leakage of SS7 network configuration data. Certain methods of subscriber traffic interception allow an intruder to tap or redirect terminating and originating calls and intercept user SMS messages. Fraud attacks can be performed against both operators and subscribers.
The security of Signalling System No. 7 (SS7) has been solely based on the mutual trust between the interconnecting operators. Operators relied on their trust in other operators to play by the rules, and the SS7 network has been regarded as a closed trusted network. This is clearly no longer valid, and an urgent need rises to analyse the security gaps in such networks and implement the needed controls to close these gaps. Several significant vulnerabilities exist in the Signalling System 7 (SS7) core infrastructure of cellular network carriers that are listed below:
Subscriber privacy violation: it is possible in cities to track subscribers down to street level; the HLR block/filter can be bypassed by querying the Visitors Location Register instead and still obtain the global cell ID for the subscriber.
Real-time call interception and SMS: the call is routed to the attacker’s system, the attacker bridges the call to the originally called party and records the conversation.
Billing fraud: one method of billing fraud is by the attacker using USSD codes to execute remote commands on behalf of the subscriber, transfer prepaid credits via USSD to the attacker, and forward call setting/deletion without the subscriber’s knowledge.
Manipulate Network Settings: – The attacker will simulate subscriber roaming in foreign network. This will override network settings made by the subscriber. The attacker executes USSD codes on behalf of the subscriber and changes outgoing callerID to any number.
Denial of Service: – Denial of Service against Operator network.
ALTEN Calsoft Labs’
- Ongoing analysis of protocol data and alarm/logging of events. This is performed without network interference via a passive network tap connection.
- Provides an active cellular firewall for the carrier’s cellular network.
- Vulnerability assessment and Penetration Testing: – Find out to what extent network elements (HLR, VLR/MSC, SCP, SMSC and SGSN) under the carrier’s management are vulnerable to SS7 attacks. Discover serious vulnerabilities before they attack and make sure the safety measures are getting the job done.
Vulnerability Assessment and Penetration
Our security consultants will develop a test plan that scans the entire network, looking for all possible technical and administrative vulnerabilities. The service includes a comprehensive report with vulnerabilities ranked according to severity level and, most importantly, recommendations for optimizing configurations, protecting security perimeters, improving interoperability between network segments, and eliminating all identified vulnerabilities. Consultants will conduct a coordinated probe across your entire enterprise. Seek to identify vulnerabilities present on Internet gateways and system hosts. Our consultants employ advanced tools and techniques, similar to those used by hackers, to identify and explore security vulnerabilities. We then analyse the findings and provide recommendations prioritized by threat level, helping to resolve issues, mitigate risk, and meet security objectives.
The services are extended to
Methodology followed by ALTEN Calsoft Labs for
Physical & Wi-Fi Testing