Signaling Security -The Old and New threat - Amazon...
-
Upload
dangkhuong -
Category
Documents
-
view
247 -
download
8
Transcript of Signaling Security -The Old and New threat - Amazon...
-
1 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Signaling Security - The Old and New threat
Bill WelchJune 2016
-
2 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
BackgroundSS7 is not secure. Never has been.
No longer a Closed and Trusted Community.
Hacker access is easy.
Services and Applications using SS7 has grown beyond original designs.
A recent video article by 60 Minutes and previous research by German researchers at Hacking conference have provided a spotlight to expose SS7 vulnerabilities
Hacking SS7 networks is a way to make
money.
-
3 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Effects todayCarriers are forced
to pay other Carriers with no compensation
Locate a target using only a phone number
Make free calls / send free SMS / use free data
Prevent a victim from receiving
service
Overload core network with a DDOS attack
Eavesdrop on a victims phone calls / SMS message
Generate thousands of premium rate phone calls
-
4 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Threat Description
Tracking Tracking a subscribers location down to the Cell-ID level
Intercept Man-in-the-middle attacks to eavesdrop on voice calls and SMS
Fraud Subscriber and Carrier Levels
Denial of Service
Prevent victim from using network service (Voice / Data / SMS)
Spam Forwarding of SMS directly to victims network
SS7 Vulnerabilities
*Source: Cellusys Signaling Firewall Introduction 2016 and SS7 Vulnerabilities ebook www.cellusys.com
SS7 Access is Easy to Obtain and is Happening.
-
5 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Example Hack Hacker first obtains subscriber information and then executes fraudulent SMS forwarding
Hacker is able to see all SMS messages but Subscriber no longer sees messages. Hacker goes to Bank or Credit card Web site and asked for password to be reset via SMS message
Subscriber is locked out of bank/CC account Hacker make fraudulent charges or hold account in ransom with the subscriber
Gaining Access to Financial information
-
6 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Example Hack Call forwarding is setup for one phone to forward all calls to premium number (900) or international service.
Multiple parallel calls are made to forwarded phone number to run up charges
Lost per hour at $3 to $5K per hour per forwarded number
Call Forwarding to Premium number
-
7 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
OTT messaging and voice Applications must be safe as they talk about security and use encryption
But they are only as strong as their weakest link
Many of them inter-connect with or rely on SS7 network for password resets
A recent article demonstrates how WhatsApp and Telegram was compromised using SS7 link
OTT Apps must be Safe
-
8 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Hackers - Who and Why
Skill Level
Difficulty of Detection & Prevention
Hobbyist- Adventure- Embarrassment
Professional- Looking to Profit- Profits continue as long as they are not detected
Sleeper - Very Professional- Lawful or other intercept- Network shutdown- Commercial Intelligence- Other intelligence
Network Errors
-
9 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Cost of doing nothing
Thief of service
Lost Revenue.
Eternal Payments
Eavesdropping of calls and text
Negative Media event Brand
impact
Fines from Local Regulators Direct impact to bottom
line
Congressional hearings and unwanted regulation of industry
Network DDOS attack
Service impact to all subscribers
Revenue loss
Loss Subscribers to competition
Thief of Subscribers personal information
Criminal and Civil Lawsuits
Fines from regulators
Loss of confidence with Business partners
-
10 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Are you at Risk
Source: http://ss7map.p1sec.com/
-
11 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Industry Response
Share and Compare information with other Carriers
GSMA Fraud and Security Group GSMA PRD FS.11 SS7 interconnect Security Monitoring Guidelines
GSMA PRD FS.07 SS7 and SIGTRAN Network Security Issues
GSMA PRD IR.70 SMS SS7 Fraud
GSMA PRD IR.71 SMS SS7 Fraud Prevention
IR.82 Security SS7 implementation on SS7 network guidelines
Compare with
Finances
Know your Traffic flows
Think Like an
Accountant
Monitor Long
Duration
ACT
GSMA is identify, categorize and remedy threads in IR.82
-
12 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Minimum Steps For Carriers
Never leak the IMSI of your subscribers
Block external signalling messages that are not permitted
Authenticate the sender where messages are permitted from external sources
Audit networks and financial information
Note: GSMA IR82 contains details of the above.
-
13 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
Multi-layer defense
Transport Layer
IP Firewall Network deviceaccess
DOS/DDOS IPSEC
Application Layer
STP / DSC SS7 Advanced Gateway Screening
Gateway Statistics MAP / CAP layerparameters
Message Context SS7 Firewall SMS Fraud DiameterFirewall
Full message inspection
X X
IP FW + Security SS7 STP Signaling FW
X
-
14 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY
When was the last time a security audit was performed on SS7 network?
Am I under Attack right now and vulnerable to future attach?
Do I have Multi-layer Security architecture for Signaling?
Am I leaking IMSI information today?
Are their legitimate messages coming from questionable sources?
Sonus and Cellusys can help today
Further information here:http://www.sonus.net/solutions/mobile-network-operator-solutions/ss7-security
Act Now
-
15 Confidential and Proprietary FOR INTERNAL INFORMATION PURPOSES ONLY