Mobile phone hacking is nothing new. We’ve all read the stories of high profile figures’ phones being hacked to access voicemails and contacts. But a recent 60 Minutes piece highlighted a mobile threat that exploits technology that has been in networks for decades: the Signaling System 7 (SS7) network.
The SS7 network is the signaling network used by mobile carriers to connect and disconnect phone calls, as well as carry text messages. For years, SS7 has been considered a secure technology because it operated in a closed network between carriers, much like time-division multiplexing (TDM) technology. However, hackers can and are breaking into carriers’ SS7 networks to steal information, eavesdrop on conversations, and track the locations of subscribers. As 60 Minutes showed, even members of the U.S. Congress aren’t immune to the threat.
The troubling aspect of SS7-based hacks is that subscribers don’t have the power to protect themselves because the attacks emanate directly from the carrier’s network. Wireless conversations or text messages on otherwise secure networks can be infiltrated without the subscriber’s knowledge once the hacker has access to a subscriber’s International Mobile Subscriber Identity (IMSI) code. This code can be found using a relatively inexpensive device known as an IMSI catcher. Fortunately for carriers, they’re not alone in their fight against SS7-based fraud. Network equipment vendors, as well as industry groups like the GSMA, are developing new security solutions and standards to close up the security vulnerabilities in SS7.
What’s at stake is more than national security. SS7-based hacking could potentially cost carriers millions of dollars in lost revenue, regulatory fines, lawsuits from subscribers, and toll fraud. A shortlist of SS7 security threats includes: eavesdropping on conversations; stolen passwords; re-routed text messages; blocked services; location tracking; and “free” long-distance calling, text messaging, and mobile data that are charged to the hacked subscriber’s account.
Text messaging is particularly vulnerable because many mobile subscribers use the Short Message Service (SMS) on their mobile phones to receive password information – for example, to verify an email account or mobile banking login. Once inside the SS7 network, a hacker—armed with no more information than a phone number—could re-route all SMS messages for that number to their account. At that point, it’s a simple matter for the hacker to request a new banking or credit card password, reset the password, and access the subscriber’s account while effectively locking the subscriber out of their own account.
From Attackable to Unhackable
Because SS7-based attacks can occur in the carrier network or in the external signaling network, mobile carriers should adopt a multi-layered security approach that protects communications both in the signaling stream (via a signaling firewall) and at the network edge (via a signaling gateway). This complementary approach combines a centralized point of control (the STP gateway) with a configurable firewall to block malicious and suspicious attacks from entering the network, hijacking mobile information, or stealing mobile identities.
What does a strong SS7 security solution look like? It should support the full variety of signaling protocols including SCCP, TCAP, MAP, CAP, and Diameter. It should combine SMS firewall capabilities with centralized policy management such as whitelisting/blacklisting (the multi-layer approach previously discussed). It should feature strong signaling encryption. And, of course, it should support the GSMA’s IR.82 standards that are being developed to enforce SS7 security going forward.
There are solutions today on the market that address these needs. But even before mobile carriers begin to look for solutions, they need to understand just how big the SS7 security problem is in their network. In our experience, most mobile carriers underestimate the severity of the problem. True understanding comes by asking some probing questions, such as:
When was the last time we conducted a security audit of our SS7 network?
Are we tracking SS7-based attacks in our network today?
Could we accidentally be leaking IMSI information from our network?
- How much do we know about SS7-based hacking signatures and suspicious/malicious signaling behavior?
These are questions that mobile carriers need to answer, and soon, or run the risk of exposing their subscribers to a lot worse than the thoughtful probing of 60 Minutes.
Mykola Konrad leads Sonus’ global product, Channel and corporate marketing initiatives as the company's Vice President of Product Management and Marketing. Konrad has more than 17 years of technology development and product management experience, most recently serving as Director of Product Management at Sonus.