Signaling network vulnerabilities exposed: protection strategies for operators
Ilia AbramovProduct Director
|2 |
SS7 network security takes the stage
• December 2014
Annual Chaos Communication Congress event held in Hamburg
• SS7: Locate Track Manipulate• Mobile self-defence • SS7 Map – Mapping vulnerability of international mobile roaming infrastructure
Featured 3 presentations on SS7 security
• Location and tracking of mobile users• Denial of Service attacks• Eavesdropping via man in the middle attack – 2G and 3G• Traffic diversion• De-anonymization• Fraud• Spam
Demonstrated attacks though SS7 interconnects:
XURA SIGNALING FRAUD MANAGEMENT
| XURA SIGNALING FRAUD MANAGEMENT|
Anatomy of signaling exploitation
2
Illegal access to operator HLR (SRI, Femto cell, ATI, etc.)
Impact• Loss of subscriber privacy
• Loss of revenue by the MNO (location tracking service)
Faking of the subscriber profile (multiple ways)
Impact• Loss of subscriber privacy
• Subscriber churn• Legal exposure of MNO up to
revoking of license
Faking of the subscriber profile (multiple ways)
Impact• Loss of subscriber privacy• Impact on A2P revenue due to
compromised 2 layer authentication
Faking of the network element addressing
Impact• Attack on the other operator network• Revenue impact (e.g. fake SMSC)• Exposure of own network element in
the other operator attack
SMS interceptionLocation tracking of
the subscribers
Voice Call interception
Spoofing of the network elements
||
Nothing is safe beyond your network border
1
VLRHLR/HSS
• Impersonation• Service abuse• Call interception• DoS attack
• Location tracking,• Subscriber profile faking
Attacker Goals:- Specific subscriber (eavesdropping)- Network elements (information extraction,
Service interruption, DoS)- MNO Service & Revenue
• FemtoCell (IMSI harvesting)• Crypto cracking
XURA SIGNALING FRAUD MANAGEMENT
| XURA SIGNALING FRAUD MANAGEMENT6 |
Attack motivation
Confidential data
Private and business conversations
Messaging and data
Most valuable asset is INFORMATION!
DoS attack on subscriber
Enforced service degradation
Service interruption
IRSF calls
Messaging fraud
Grey Routes
Financial
| XURA SIGNALING FRAUD MANAGEMENT7
Anatomy of the signaling attacks
IMSI
Obtain Subscriber IMSI
Fake
Fake subscriber profile
HLRHSS
MSCMME
HLRVLR
i
Receive callSMSData
SRI-SMATI
Attacks on subscriber private communication
Main attack action
|8 |
Mitigation: Technical measures
FASG
Keeping one’s network safe is an ongoing task of determining & blocking attacks, to be done by signalling experts
Can only be automated partially
SS7 firewall SMS Home Routing/Firewall
Monitor to see what kind of attacks your networks is exposed to
See the SS7 Monitoring Guidelines, authored by RIFS
Filter at the network edge
Diameter Edge Agent (DEA) at the edge to the IPX Network
XURA SIGNALING FRAUD MANAGEMENT
| XURA SIGNALING FRAUD MANAGEMENT9
IMSI Harvesting
HLR phishing
HLR/HSS
All security measures make sense
SRI for SM
ATI
Home Routing
STP filtering
FemtoCell
IMSI
Impossible to have full IMSI protection
However
| XURA SIGNALING FRAUD MANAGEMENT10
Native Network integration
Real-Time monitoring
Traffic Control & Enforcement
Efficient security enforcement
SignallingFraud
ManagementDetects
signalling flowirregularities
Implementssignallingpolicies
Providesoperator
withdetailedinsight
Preventsfaking
| XURA SIGNALING FRAUD MANAGEMENT12
Potential IP vulnerabilities rise in Telco industry
SS7
SIGTRAN
EPC Diameter
IMP SIP
| XURA SIGNALING FRAUD MANAGEMENT13
Issue Risk CostPrepaid Abuse High HighDenial of Service (area) High HighVoIP Originated SS7 Injection Medium HighFinancial/charging fraud High HighPrivacy Theft Medium MediumIoT intrusion High High
Attack dimensions and Impact
Diameter attacks
occur in multiple
dimensionsAVP combinations and values
Sequ
enci
ng
and
Flow
Optional
parameters
| XURA SIGNALING FRAUD MANAGEMENT14
Protecting EPC signaling network
Ensures 1st hop protectionChallenge: administration nightmareDoes protect from signalling attacks
Enable secure transport for the interconnects
Check packet compliancyEnforce Diameter message dictionary to the applications
Selectively filter any protocol extensionsPerform address consistency validation
Validate protocol consistency
Collect interconnect signaling dataAnalyze detected inconsistencies
Identify the sourcesEngage with roaming partners
Monitor and Act
| XURA SIGNALING FRAUD MANAGEMENT15
Protect Legacy SS7/SIGTRAN network
•Focus on interconnect first•GSMA Recommendation•Signaling Firewall•Signaling flow monitoring and analytics
Secure design of EPC
•Ensure external connectivity via secure DEA•Enable transport security•Enforce protocol consistency• Implement Protocol level enforcement•Signaling flow monitoring and analytics
Ensure signaling perimeter control & monitoring
•Monitoring and analysis•Protocol enforcement capabilities
Signaling network protection strategy
XURA SIGNALING FRAUD MANAGEMENT16 |
You partner in signaling security
Understanding of signalling network architecture and principles
Years of reliable carrier grade signalling service
Guaranteed confidentiality!Revenue assurance
Network audit and penetration testing
Enforcement of security policies and real-time monitoring
| XURA SIGNALING FRAUD MANAGEMENT17
Get in touch
Email [email protected]
Check out http://www.xura.com/our-services/digital-communications/security
Complimentary white papers