Ss7 vulnerabilities and attack exposure

ATTACKS ON SS7 NETWORKS
We have examined vulnerabilities in SS7 networks and potential threats related to 
their exploitation� One question remains open: how do security research results 
compare with the capabilities of real-life criminals? In this section, we will share 
the results of security monitoring projects in SS7 networks, and see what kind of 
attacks mobile operators actually face and whether existing security measures are 
effective in practice�
Methodology
Security monitoring projects in SS7 networks were carried out for large telecom 
operators in Europe and the Middle East� They were aimed at demonstrating the 
capabilities of the PT Telecom Attack Discovery (PT TAD) system, which is designed 
to analyze signaling traffic in real time and detect illegitimate activity with the possi-
bility of blocking unauthorized messages and notifying third-party systems for traf-
fic filtering and blocking� This approach allows potential threats to be identified in 
a timely manner and to react without adversely affecting the network functioning�
PT TAD can also be used as a passive system for detecting illegitimate activity� In 
this case, the system allows analysis to be carried out, but does not affect the traffic 
flow� This study presents the results of traffic monitoring in passive mode�
SS7
MSC/VLR
HLR
PT TAD 
in passive mode
Manufacturing
End user
Smart city
Connected car
Figure 21� Diagram of hardware connection for analyzing signaling traffic with PT TAD in passive mode
SS7 VULNERABILITIES
AND ATTACK EXPOSURE REPORT
20

Statistics on attacks detected
In all networks where works were carried out to monitor security events, SMS 
Home Routing was used while a filtering and blocking system for signaling traffic 
was installed in every third network� 
During the monitoring, we obtained results indicating that attackers are not only 
well aware of security problems in signaling networks but also actively exploit 
these vulnerabilities� 
In the table, the vertical axis shows the distribution of all attack attempts broken 
down by method� The percentage of successful attacks is given for each threat and 
separately for each method� An empty cell means that the message does not lead 
to threat realization�
For example, in 79�9 percent of cases an attempt to get a subscriber's IMSI is per-
formed by attackers using the SendRoutingInfo method� Overall, in 34�5 percent 
of cases attackers successfully managed to obtain IMSI with that method or an-
other� As for SendRoutingInfo, the method was successful in 22�6 percent of attack 
attempts�
Subscriber information 
disclosure 
N
et
w
or
k i
nf
or
m
at
io
n di
sc
lo
sur
e
Fraud
SMS
in
te
rc
ept
io
n
D
isr
up
tio
n o
f s
er
vi
ce 
av
aila
bil
ity
fo
r s
ub
sc
rib
er
s
Pe
rce
nt
ag
e o
f s
ucce
ss
fu
l 
at
ta
ck
s
IMS
I d
is
cl
os
ur
e
Su
bs
cr
ib
er
lo
ca
tio
n 
di
sc
lo
su
re
Su
bs
cr
ib
er
p
ro
fil
e i
nf
or
-
m
at
io
n d
is
cl
osu
re
C
al
l re
di
re
ct
io
n 
Ex
pl
oi
ta
tio
n o
f U
SS
D 
re
qu
es
t m
anip
ula
tio
n
Re
al
-t
im
e b
illi
ng 
ev
asi
on
SendRoutingInfoForSM
15�7%
5�2%
87.2%
SendRoutingInfoForLCS
3�3%
1�1%
1.1%
SendRoutingInfo
79�9%
27%
26�3%
22.6%
SendIMSI
1�1%
65.6%
AnyTimeInterrogation
69�3%
67�4%
13.3%
ProvideSubscriberInfo
3�7%
58.6%
RestoreData
84%
0.5%
UpdateLocation
0�9%
4�7%
100%
4�6%
100%
AnyTimeSubscriptionInterrogation
14�8%
0%
InterrogateSS
0�3%
58.8%
AnyTimeModification
0�6%
0�5%
0�6%
0.1%
InsertSubscriberData
93�2%
86�7%
90�6%
1.5%
RegisterSS
1�5%
1�4%
26.7%
ProcessUnstructuredSS
0�6%
53.3%
UnstructuredSSNotify
99�4%
31.1%
DeleteSubscriberData
12�8%
2.1%
PurgeMS
2�8%
53.3%
Percentage of successful attacks
34.5%
17.5%
1.5%
20.1%
6.5%
31.2%
1.5%
100%
7.8%
Table 3� Distribution of attacks by threat types
21

As we found out, the source of most attacks is not national telecom operators of 
the country where security monitoring was carried out, but rather global telecom 
operators� Meanwhile, suspicious requests come mainly from countries of Asia 
and Africa� This may be because in these countries attackers consider it easier and 
cheaper to buy access to the SS7 network� It is noteworthy that there is no need for 
physical access to equipment of the operator that provided connection to SS7—an 
intruder can attack from any point of the globe�
To demonstrate the average number of attacks per day, we selected a large opera-
tor with a subscriber base of over 40 million people� The operator gave consent to 
publishing the data without specifying the company name�
Table 4� Average number of attacks per day by threat types
Threat
Average number of attacks 
per day
Subscriber information disclosure
4,827
IMSI disclosure
3,087
Subscriber location disclosure
3,718
Subscriber profile disclosure
47
Network information disclosure
4,294
Fraud
62
Call redirection
2
USSD request manipulation
59
Real-time billing evasion
2
SMS interception
1
Disruption of service availability for subscribers
4
SS7 VULNERABILITIES
AND ATTACK EXPOSURE REPORT
22

Information leakage 
Almost all the attacks were aimed at disclosing information about the subscriber 
and the operator's network� Fraud, subscriber traffic interception, and disruption of 
service availability for subscribers totaled less than 2 percent�
2
Such distribution is due to the fact that an intruder first needs to obtain subscriber 
identifiers and host addresses of the operator's network� Further attacks are subject 
to obtaining all the necessary data at the first stage� Still, data mining does not nec-
essarily mean an imminent targeted attack on the subscriber� Instead of carrying 
out technically complicated attacks, there is an easier way to make a profit by sell-
ing information to other criminal groups� Mass single-type requests may indicate 
that attackers are building subscriber data bases, in which telephone numbers are 
matched against user identifiers, and collecting the operator's data for a subse-
quent sale of obtained information on the black market�
Every third attack aimed to get a user IMSI, and every fifth attack aimed at disclosing 
network configuration helped attackers obtain information they were looking for�
To obtain information, mainly two methods were used: AnyTimeInterrogation 
and SendRoutingInfo� Both of them allow network information disclosure, and 
SendRoutingInfo alone returns a subscriber IMSI; in addition to that, these mes-
sages allow subscriber location to be detected� As our results show, in 17�5 percent 
of cases network responses to such requests contained data regarding subscriber 
location�
Filtering settings on network equipment (STP, HLR) or a correctly configured filter-
ing system for signaling traffic would completely eliminate the possibility of attacks 
using these messages and, therefore, mitigate the risk of other threats� However, in 
practice, message filtering options are not always set correctly� For instance, the 
percentage of responses to suspicious requests aimed at detecting user location 
was half as high in networks protected with a signaling traffic blocking system 
than in other networks� Approximately the same results were obtained for attacks 
aimed at disclosing network configuration and subscriber identifiers� Overall, these 
are good indicators� They point to effective protection measures� Still, if the config-
uration was correct, the proportion of successful attacks would be reduced to zero�
It is noteworthy that all networks used the SMS Home Routing system to counteract 
attacks based on the SendRoutingInfoForSM method� The SendRoutingInfoForSM 
message requests information needed to deliver the incoming SMS: the subscriber 
identifier and the serving hosts address� In normal operating mode, an incoming 
SMS should follow this message, otherwise the requests are considered illegitimate� 
2 The UpdateLocation procedure returns information about the subscriber's profile� However, we suppose that by registering a 
subscriber in a fake network an intruder primarily pursues other goals: interception of terminating calls or SMSs, or subscriber denial of 
service�
Other attacks
Disclosure of subscriber 
information or network 
configuration
1.32%
98.68%
Figure 22� Distribution of attacks by threat types

Yüklə 5,08 Mb.

Dostları ilə paylaş: