»Trojans in SS7 - how they bypass all security measures«
2018-10-16, 17:00–17:45, Europe

Almost all the recent SS7 security research is connected with abuse when a request that looks like legitimate leads to violation of confidentiality, integrity, or availability. There are a lot of protective tools to mitigate this issue. However, our new research demonstrates that malicious SS7 requests could be hidden behind harmless ones. This looks like Trojan attacks. In this talk, I will explain and demonstrate how a malefactor could exploit SS7 Trojans in order to bypass existing protection tools in SS7 networks.

Introduction: What's the problem with SS7?

For years now, SS7 security has been in the focus of security researchers and the media. The threat of hackers using SS7 flaws to steal money from bank accounts, by intercepting text messages that contain one-time passwords, has moved from fantasy to fact. The good news is that mobile operators understand the problem and are starting to protect their signaling networks, due to which signaling security is improving. The bad news is that signaling security remains woefully inadequate. Our recent research demonstrates that there are some "tricks" for bypassing existing security tools, including both SMS Home Routing and SS7 firewalls. SS7 Trojans that implement such techniques are discussed below.

Current methods for securing SS7

There are several ways available for active signaling security protection. The first is to fine-tune the configuration of network equipment for maximum security. This is the least expensive option, since existing equipment is used. However, it does not protect the network against disclosure of private identity information of subscribers, specifically their International Mobile Subscriber Identity (IMSI). The IMSI is necessary for hackers when they perform malicious actions on a SS7 network (such as location tracking). SMS Home Routing can help to prevent disclosure of IMSI identities. SMS Home Routing is а hardware and software solution that routes text messages to subscribers via their home network, acting as a proxy to prevent disclosure of equipment addresses and IMSI information. The third method, SS7 firewalls, has been a major trend among mobile operators in the last year. These firewalls can provide the maximum available protection for signaling networks. Sometimes, an operator deploys one (or more) security tools and imagines that security is now guaranteed. However, things are more complicated than that. Our research empirically demonstrates that operators who have installed SMS Home Routing actually have worse security than operators without it. GSMA FASG has issued a number of documents for classifying possible SS7 messages on operator interconnects. Signaling firewalls rely on this classification, which sorts potentially hazardous signaling messages into three groups: Category 1: Messages sent solely between home network elements. Category 2: Messages sent from the operator home network to the current visited network where the subscriber is roaming. Category 3: Messages sent from the current visited network to the home network. Messages from Category 1 are easily blocked on the border STP (Signaling Transfer Point) or HLR (Home Location Register). Protection against malicious messages can be achieved by equipment configuration. SS7 firewalls effectively combat illegitimate Category 2 messages. The most difficult task is to protect mobile networks against hostile Category 3 messages. Signaling security solution vendors propose different ways to solve this problem: - Checking a subscriber's real location - Keeping a database of subscriber movements - Inspecting all signaling traffic related to the activity of outbound roamers Based on the growth in available options, we can say that good progress has been made in detection of hostile Category 3 messages.

SS7 Trojan: a new class of attacks on SS7 networks

GSMA security documents do not cover all SS7 messages. In fact, some SS7 messages are considered to be harmless. Harmless signaling messages can be delivered to any type of SS7 network. But can a hacker use these messages to perform illegitimate actions? The answer is "yes." A hacker can use a harmless message to mask a harmful payload. This conceptually resembles a Trojan attack, which is why I have dubbed such attacks "SS7 Trojans." In this talk, I will describe several methods how a malefactor might bypass SS7 protection tools.