Security issues related to SS7 and Diameter

Intrusion Detection

DAP/20-01

Active

Defence Funded Research

June 2020 June 2025

61 months

Charles Beumier, Thibault Debatty

We are living in a more and more connected world and for the sake of speed and simplicity our actions are increasingly relying on mobile telecommunication networks. Facing this fast evolution of mainly the last decade, the mobile telecommunication networks are nonetheless based on the old SS7 standard (Signalling System #7) developed in the seventies for operators which trusted each other as they could control access to their proprietary hardware. With the opening of telecommunications to the internet, security has been more difficult to guarantee as testified by known security flaws reported by the security industry [PT18] or major incidents reported in the press [Tan17, Khan17].

This study proposes to analyse the SS7 traffic flow of 3 Belgian Mobile Network Operators (MNO) in order to help the intelligence services (VSSE and ADIV), the Belgian telecom regulator (BIPT) and the MNOs themselves to identify and/or exploit threats. The experience gathered by companies conducting security audits for MNOs in the last years show how relatively easy it is for attackers to use security flaws of SS7 [Puz17] or Diameter [Mash2017] to gather information about subscribers, locate or track them, intercept SMS or calls or perform a denial of service. Some of the conclusions of these audits is that MNOs often lack the knowledge about vulnerabilities and their consequences [Mash17], or should employ additional security measures [Puz17].

References

  • [PT18] SS7 VULNERABILITIES AND ATTACK EXPOSURE REPORT 2018, Positive Technologies.
  • [Tan17] H. Tanriverdi, M. Zydra, “Schwachstelle im Mobilfunknetz: Kriminelle Hacker räumen Konten leer”, Süddeutsche Zeitung, 3. Mai 2017.
  • [Khan17] S. Khandelwal, “Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts”. The Hacker News. Retrieved 2019-Mar-04.
  • [Puz17] S. Puzankov, “Stealthy SS7 Attacks”, Journal of ICT Standardization, VOL 5, No 1, pp 39-52, 2017.
  • [Mash17], S. Mashukov, “Diameter Security: An Auditor’s Viewpoint”, Journal of ICT Standardization, VOL 5, No 1, pp 53-68, 2017.

Publications

Pseudonymisation by random tables

SS7

Pseudonymisation is a technique for data privacy protection that replaces personal information with artificial identifiers called pseudonyms. Some level of identification is retained, typically for analysis purposes. In contrast, anonymisation removes all identifying information.

Read
Are SMS messages vulnerable in 5G ?

SS7 Phishing

This blog discusses the security of SMS in the context of 5G. In a preceding blog (https://cylab.be/blog/171/sms-based-2-factor-authentication-is-insecure), we already addressed the issue of SMS interception in 2G/3G networks and its potential consequences for 2-Factor Authentication. Here, we analyze the situation within the 5G ecosystem.

Read
Mobile Phones: Should you be afraid of disclosing your IMSI ?

SS7

The smartphone has become so important in daily life that users should be concerned about its security. We try to explain here some reasons to be or not to be afraid about disclosing the IMSI, the subscriber identity number used in the global telecommunication network.

Read
SMS-based 2-Factor Authentication is insecure !

SS7

The US National Institute of Standards and Technology (NIST) has declared in its Digital Authentication Guideline that SMS-based two-factor authentication should be banned due to security concerns [End of SMS-based 2-Factor Authentication; Yes, It’s Insecure!]. We explain why in this blog.

Read
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept