The SS7 core infrastructure can no longer be trusted
Our multi-year research has identified a number of severe vulnerabilities in the Signalling System 7 core infrastructure protocols for voice networks
Track Users
Track subscribers down to street level
Billing Fraud
Modify subscriber data for billing fraud
Intercept Calls
Remote interception of telephone calls
What is SS7?
Short for Signaling System 7, SS7 creates an international roaming infrastructure, that by it’s nature, transmits confidential customer data between networks and countries to support the seamless roaming services subscribers expect.
The Public Is Becoming Aware
The assumption that national telecom networks offer a safe haven against foreign espionage has long been falsified.
SS7: Locate. Track. Manipulate.
- Speaker: Tobias Engel
- Event: Chaos Communication Congress [31c3]
Companies are now selling the ability to track your phone number whereever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it.
Worldwide Tracking Services
Not just for Governments and Intelligence Agencies
SS7 network has been used by Intelligence agencies and various entities to track location of customers and help in the interception of calls and SMS.
Cellular carriers, VoIP providers, and third-party SMS services that piggyback on the global cellular network all have access to SS7, and some choose to share or sell that access with others.
How are the networks vulnerable?
We can demonstrate a variety of ways SS7 is used for street-level mobile phone localization, data theft, remote interception of calls, and more…
Here are some basic examples.
Cell-Level Tracking
In cities, it is possible to track subscribers down to street level.
HLR block/filter bypass
Circumvent this by querying the Visitors Location Register instead and still obtain the global cell ID.
One method of billing fraud is via USSD codes
Remote interception of telephone calls
Call is routed to attacker’s system. Attacker bridges call to original called party and records the conversation
The Solution
ESD OVERSIGHT
The First Cellular Network Firewall
ESD OVERSIGHT – Detect
- Analysis of protocol data and alarm/logging of events
- No network interference (passive connection via network tap)
ESD OVERSIGHT – Protect
- Active firewall solution
SS7 Network Penetration Testing
The Oversight SS7 testing & consulting offering is designed to assist a mobile network operator in finding out up to what extent network elements (HLR, VLR/MSC, SGSN) under the client’s management are vulnerable against certain known SS7/MAP attack vectors.
Penetration tests are being carried out for a selection of cellular carriers around the world who have recognised the need to ensure their networks and their subscribers are protected from the potential damaged these vulnerabilities expose.