Code: DAP/20-01
Active
Start: June 2020
End: December 2023
We are living in a more and more connected world and for the sake of speed and simplicity our actions are increasingly relying on mobile telecommunication networks. Facing this fast evolution of mainly the last decade, the mobile telecommunication networks are nonetheless based on the old SS7 standard (Signalling System #7) developed in the seventies for operators which trusted each other as they could control access to their proprietary hardware. With the opening of telecommunications to the internet, security has been more difficult to guarantee as testified by known security flaws reported by the security industry [PT18] or major incidents reported in the press [Tan17, Khan17].
This study proposes to analyse the SS7 traffic flow of 3 Belgian Mobile Network Operators (MNO) in order to help the intelligence services (VSSE and ADIV), the Belgian telecom regulator (BIPT) and the MNOs themselves to identify and/or exploit threats. The experience gathered by companies conducting security audits for MNOs in the last years show how relatively easy it is for attackers to use security flaws of SS7 [Puz17] or Diameter [Mash2017] to gather information about subscribers, locate or track them, intercept SMS or calls or perform a denial of service. Some of the conclusions of these audits is that MNOs often lack the knowledge about vulnerabilities and their consequences [Mash17], or should employ additional security measures [Puz17].
The smartphone has become so important in daily life that users should be concerned about its security. We try to explain here some reasons to be or not to be afraid about disclosing the IMSI, the subscriber identity number used in the global telecommunication network.
ReadThe US National Institute of Standards and Technology (NIST) has declared in its Digital Authentication Guideline that SMS-based two-factor authentication should be banned due to security concerns [End of SMS-based 2-Factor Authentication; Yes, It's Insecure!]. We explain why in this blog.
Read