(I may rewrite these notes + research and revise them in the future.)
SS7 aka Signaling System No. 7 is a suite of telephony signaling protocols that enable the exchange of information between network elements in public switched telephone networks (PSTN). Despite its critical role in global telecommunications, SS7 was designed in an era when network security was not a paramount concern, leading to inherent vulnerabilities. This document provides a comprehensive analysis of the SS7 vulnerabilities exploited by malicious actors, detailing the mechanisms of attack, implications for cellular network security, and potential mitigation strategies.
An SS7 attack is a cyber exploit that targets vulnerabilities in the Signaling System No. 7 (SS7) protocol, which is integral to global telecommunications networks for functions like call setup, routing, and billing. Due to SS7's inherent trust-based design—lacking robust authentication and encryption—malicious actors can intercept a user's voice calls and text messages, track the location of mobile phone users, or conduct fraud by sending manipulated signaling messages within the network.
The SS7 protocol stack is foundational to global telephony, facilitating call setup, routing, billing, and various value-added services. However, its design lacks robust authentication and encryption mechanisms, making it susceptible to exploitation. In recent years, attackers have leveraged SS7 vulnerabilities to intercept calls and text messages, track user locations, and conduct fraud.
SS7 operates on the network layer and controls signaling for circuit-switched networks. Key components include:
Service Switching Points (SSPs): Facilitate call routing.
Signal Transfer Points (STPs): Route signaling messages.
Service Control Points (SCPs): Host databases for services like number portability.
The protocol stack comprises several layers, including Message Transfer Part (MTP) levels 1-3, Signaling Connection Control Part (SCCP), and Transaction Capabilities Application Part (TCAP).
Lack of Authentication and Sec SS7 trusts all network nodes implicitly, assuming they are legitimate. This trust model is problematic in interconnected networks where access is not tightly controlled.
Insufficient Encryption Messages in SS7 are typically transmitted in plaintext within the network, exposing sensitive information to interception.
Global Accessibility (Belgium example) With the proliferation of inter-carrier connections and the advent of IP-based signaling (SIGTRAN), access to SS7 networks has become more widespread, increasing the attack surface.
Location Tracking
Attackers can use the Provide Subscriber Information (PSI) and AnyTime Interrogation (ATI) messages to request a subscriber's location from the Home Location Register (HLR) or Home Subscriber Server (HSS).
Step 1. Attacker sends a PSI/ATI request to the HLR/HSS. Step 2. HLR/HSS returns the subscriber's location information. Step 3. Attacker processes the data to determine the subscriber's approximate location. (REAL TIME) - Princess Example
Intercepting Communications
By now exploiting Call Forwarding features and manipulating routing info, attackers can redirect voice calls and SMS messages to basically whatever.
Attacker sends a Send Routing Information (SRI) request to the HLR. HLR provides the Mobile Station Roaming Number (MSRN), used to route the call. Attacker modifies the MSRN to redirect the call or SMS to a device under their control.
Attackers can perform International Revenue Share Fraud (IRSF) by generating artificial traffic to premium-rate numbers. (Infinite number paradox).
Compromise a subscriber's account via SS7 messages. Initiate calls or messages to premium numbers. Revenue is shared with the attacker through the premium-rate service.
Attackers exploit the lack of message authentication to send spoofed messages: MAP (Mobile Application Part) Messages: Used for mobility management, can be manipulated for unauthorized queries. CAMEL (Customized Applications for Mobile networks Enhanced Logic): Can be exploited for call redirection.
The migration to IP-based signaling introduces additional vulnerabilities:
Denial of Service (DoS): Attackers can flood network elements with signaling messages, causing service disruptions.
Several documented cases highlight the exploitation of SS7 vulnerabilities:
Banking Fraud: Attackers intercepted SMS-based two-factor authentication codes to gain unauthorized access to bank accounts.
High-Level Espionage: State-sponsored actors have allegedly used SS7 attacks to monitor high-profile individuals.
Financial Fraud: through SMS Interception and Manipulation.
Attackers could intercept one-time passwords (OTPs) sent via SMS for banking transactions or account logins. By exploiting SS7 vulnerabilities, they can redirect SMS messages containing OTPs to their own devices, enabling unauthorized access to victims' financial accounts.
Implications:
Unauthorized Transactions: Transfer of funds without the account holder's knowledge. Identity Theft: Access to personal information leading to further fraudulent activities. Erosion of Trust: Customers may lose trust in financial institutions' ability to secure their assets.2. Espionage and Surveillance
State-sponsored actors or sophisticated attackers might use SS7 vulnerabilities to track the location of individuals, intercept calls, and monitor communications. This could target journalists, activists, political figures, or business leaders.
Implications:
Privacy Invasion: Unauthorized access to personal communications and whereabouts. (See Pegasus) National Security Risks: Potential exposure of sensitive governmental or military information. Corporate Espionage: Theft of proprietary business information or trade secrets.
Attackers could disrupt communications within critical infrastructure sectors like energy, transportation, or emergency services by manipulating SS7 signaling. This could lead to dropped calls, delayed messages, or complete service outages.
Implications:
Service Interruptions: Hindering operations of emergency services, leading to potential loss of life. Economic Impact: Disruption of business communications causing financial losses. Public Safety Risks: Inability to communicate during critical events or disasters.
By spoofing network messages and manipulating caller ID information through SS7, attackers can send mass spam SMS or make calls that appear to originate from trusted sources.
This enhances the effectiveness of phishing campaigns aimed at extracting sensitive information from individuals.
Implications:
Increased Phishing Success Rates: Higher likelihood of individuals falling victim to scams. Data Breaches: Extraction of personal or corporate data leading to broader security compromises. Reputation Damage: Organizations spoofed in such attacks may suffer reputational harm at mass levels. Bypassing Network Authentication for Unauthorized Services
Attackers might exploit SS7 to bypass authentication mechanisms of mobile networks, allowing them to access premium services without paying or to impersonate other subscribers.
Implications:
Revenue Loss for Operators: Unauthorized use of services leads to financial losses. Legal Liabilities: Victims may be wrongfully held accountable for services they did not use. Network Congestion: Increased load on network resources affecting overall service quality.
Network Segmentation and Filtering Implement firewalls specifically designed for SS7 to filter illegitimate messages. Restrict access to signaling networks based on origin identifiers.
Deploy systems that monitor signaling traffic for unusual patterns indicative of an attack. Use machine learning algorithms to adapt to evolving attack methodologies.
Introduce application-level authentication for critical SS7 messages. Utilize Diameter protocol in LTE networks, which includes improved security features.
Encourage the use of end-to-end encryption applications for sensitive communications. Implement alternative methods for two-factor authentication, such as hardware tokens or app-based authenticators.
The GSM Association (GSMA) has issued guidelines (FS.07 and FS.11) for SS7 security, recommending best practices for operators.
Operators are encouraged to share threat intelligence and coordinate on security measures to protect interconnected networks.
With the ongoing deployment of 5G networks and the continued reliance on legacy systems, a hybrid approach is necessary:
Transition Strategies: Gradually phase out SS7-dependent services. Research and Development: Invest in secure signaling protocols and advanced cryptographic techniques. Policy and Compliance: Governments and regulatory bodies should enforce stringent security requirements for telecommunication providers. Conclusion
The vulnerabilities in the SS7 protocol pose significant risks to cellular network security. Attackers exploiting these weaknesses can cause widespread harm, from personal privacy breaches to large-scale financial fraud. A multifaceted approach involving technical safeguards, industry collaboration, and regulatory action is essential to mitigate these threats. Ongoing research and proactive security measures are critical to securing current and future telecommunication infrastructures.
N. Blumberg and D. Vodopivec, "SS7 Network Security: A Comprehensive Analysis," IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 1909-1948, 2019.
ATI: AnyTime Interrogation CAMEL: Customized Applications for Mobile networks Enhanced Logic DoS: Denial of Service HLR: Home Location Register HSS: Home Subscriber Server IRSF: International Revenue Share Fraud MAP: Mobile Application Part MSRN: Mobile Station Roaming Number PSI: Provide Subscriber Information SCP: Service Control Point SIGTRAN: Signaling Transport SRI: Send Routing Information SS7: Signaling System No. 7 SSP: Service Switching Point STP: Signal Transfer Point TCAP: Transaction Capabilities Application Part