Skip to content

Search the site

Legacy SS7 protocol puts telco security in the spotlight

“They used to tell me, no, this is bullshit. People are not compromising telecom networks in order to get intelligence. We had to actually show, here is my exploit.”

It’s no secret that legacy telecoms infrastructure presents countless roadblocks for mobile network operators (MNOs). On the seemingly never-ending drive to modernise outdated and unsupported hardware and technology, there’s one stubborn protocol that leaves MNOs, and their customers, open to large-scale hacking attacks. 

SS7, or Signalling System No. 7, is a cyber criminal’s dream. When exploited, SS7 flaws offer up everything from location tracking, voice data interception, spyware delivery and the bypassing of two-factor authentication. Forming a major backbone of the global telecommunications network, SS7 is essential for interconnections, especially roaming, between MNOs.

Join peers following The Stack on LinkedIn

“We cannot say that this is a new issue,” says Dmitry Kurbatov, co-founder of telecom network security solutions provider, SecurityGen. “It would be fair to say that security faults in the telecom industry are very nice targets for hackers, because there’s a lot of obscure and proprietary technologies spanning multiple generations around.”

The growth of shadow assets, equipment and hardware left following mergers and acquisitions, which no one is fully in control of adds to the telco security puzzle, says Kurbatov,

“This is simply the reality: SS7 has been in the technology stack for more or less 30 years in mobile technology,” he adds. 

Telco security and longstanding weakness

While not attributed to an SS7 breach, the recent Chinese cyberattacks against US telecommunications networks, dubbed Salt Typhoon, showed the widespread weaknesses in telco security. The chair of the US Senate Intelligence Committee, Senator Mark Warner, when as far as describing the attacks as the “worst telecom hack in our nation’s history.”

“The telecom industry moves slow, so it takes time to digest and accept the fact that, yes, SS7 might be an issue. Likely now things will change, because all this is coming to the surface, so it’s harder to ignore,” adds Kurbatov.

Philippe Langlois, CEO of telecom security firm P1 Security, believes a central issue for telco security is the fact that MNOs have to be accepting of a lot of old technology. Many people are still using handsets that only connect to 2G through insecure devices that don't have the ability to keep up with more recent encryption. 

Kroll blasts T-Mobile after SIM swapping attack
Security leaders would do well to revisit this month’s findings of the Cyber Security Advisory Board (CSRB)…

“There are always these kind of attacks on the roaming side,” says Langlois.

Network operators can be based on modern technology, but they still have remnants of the previous networks which are still there from the 90s.

“Sometimes the vendors went out of business or were acquired, many times with product lines being abandoned, so there's no support, right? You kind of have to make little enclaves that you need to protect these extra layers of security, because if someone gets in them, the whole system is compromised,” adds Langlois.

BT security chief: IMSI data scrambling

For Dave Harcourt, BT's Chief Security Authority & Automation Director, finding solutions to an interconnected problem like SS7 requires collaboration across the industry.

“Many SS7 attacks take place due to exploits of International Mobile Subscriber Identity (IMSI) data – which is why we’ve taken a range of steps (such as IMSI scrambling) to protect how we use and share IMSI data,” he says

 “These steps have made it much harder to launch SS7 attacks, and materially reduced the volume of SS7 threats we see – but IMSI leakage can still take place due to other factors, such as unauthorised usage by phone apps, and through the exchange of IMSI data when you’re roaming abroad,” adds Harcourt. 

SS7 firewalls

When Langlois started talking to telco CTOs about the major vulnerabilities of SS7, they couldn’t believe these exploits were possible.

“They used to tell me, no, this is bullshit. People are not compromising telecom networks in order to get intelligence. We had to actually show, here is my exploit.”

While awareness of the risks posed by SS7 are now well-known across the industry, much more funding needs to go to boost defences against hackers. In it’s latest cyber heat map, ratings agency Moody’s moved the telecoms sector to the very high risk category, underscoring the immense security issues in the space.

The Big Interview: Vodafone Group IT Director Pedro Sardo
On dumping VMware, 8,000 databases, scepticism about systems integrators and positivity about the cloud…

“The problem is not with the fact that we don’t have ways to make it secure, we have ways to make it much more secure. The problem is more that there's a lack of investment,” adds Langlois.

Security by design is now a starting point in the telecoms industry, but this wasn’t the case when the SS7 protocol was created. “[Telcos] are dealing with a protocol that was not designed with security in mind.”

Growing pressure from regulators, governments and security agencies are forcing the hand of telecoms and pushing them to implement firewalls to block malicious attacks. But, due to the complex nature of communications between MNOs, it’s not as simple as just getting a solution in place and leaving it to work. 

Roaming issues...

For example, after a firewall is set up and configured, the moment an operator launches a new roaming agreement, it will have to be changed to update the rules, add some additional prefixes and make the firewall aware that there is now a new partner that needs to filter in a certain way. 

“All of these messages need to be configured correctly so that they're letting the correct messages in and blocking the ones that we don't want to come in,” explains Jean Gottschalk, principal security consultant at SS7 mobile network security firm Telecom Defense. 

When Gottschalk is hired by a telco to pen test firewalls, of the 50 or so different tests he performs, it’s typical for between five and ten security loopholes to be found.

“It's kind of an ever changing thing when we do these tests,” he adds. When loopholes are fixed, its often the case that a new flaw will popup as a result of the change.

“They make us test again, we'll say, okay, it's a bit better, but we can still do this other thing that we couldn't do before. It's an iterative process."

Vodafone supplier hack had “scope to impact entire telco industry”
Vodafone supplier hacked in incident that had “scope to impact entire telco industry” says multinational in stark warning on partner risk.

Latest