Fraudulent exploits of SS7 on the rise: get your firewalls and filters in place now

Fifty dollars will get you access to SS7 networks, what you do with that is up to you.

Just fifty dollars spent on the dark web can provide hackers with the means to exploit vulnerabilities in the SS7 signalling network so that they can carry out frauds via means such as spoofing user location and hijacking calls and messages.

Steve Buck, of Evolved Intelligence, said that companies that gain access to SS7 networks for supposedly legitimate purposes can then resell access to fraudsters or hackers – sometimes even on a subscription basis. Often the “host” operator offering access is a smaller operator of some kind that either lacks the means or desire to investigate what its supposedly legitimate partners – say ones that purport to require SS7 access to offer enterprise SMS services – are up to.

Providers of SS7 security solutions such as Evolved Intelligence – others would include players such as Adaptive Mobile, Xura, Cellusys, Haud Systems and Symsoft –  have been publicly marketing SS7 Firewall products since at least late 2014. This came after a demonstration of SS7 vulnerabilities by “white hats” at the Chaos Communication Congress in the same year.

Many of the early exploits of SS7 seemed to be sophisticated attacks on user privacy – such as tracking user location – seemingly carried out by espionage agencies or entities.

However Buck said that operators and security companies have seen fraudulent exploits of SS7 signalling networks increase in the past 12-18 months, prompting groups like the GSMA to get involved in writing specifications to guard against attack. Up until now major operators have been aware of the potential for brand damage caused by SS7 vulnerabilities, but there has been less focus on fraud, Buck told TMN. “This is not just a security problem, it is a fraud problem,” he warned. 

In June 2016 a working group known as the Communications Security Risk & Interoperability Council (CSRIC) was tasked to report to US regulator FCC on SS7 vulnerabilities following high publicity “attacks” carried out by researcher Karsten Nohl on the cellphone of Congress member David Lieu. This month is submitted its recommendations. It said that operators should continue to implement firewall methods to protect from attack, but also that there should be more information sharing within the industry on attacks.

This recent shift in momentum towards fraudulent exploits has partly been a result of target companies such as banks tightening up their own procedures, making it harder for fraudsters to successfully carry out attacks via methods such as internal fraud and social engineering. This has led them to exploit the communications network as a means of attack.

Another reason for the shift is that operators were previously able to ring-fence access to SS7 hubs to a small range of trusted partners. But with a larger number of companies benefiting from a direct connection to the signalling layer, it has become harder to police access.

The US CSRIC report said: “Access to SS7 networks has increased over the past few decades, in some instances, by design, as telecommunications networks and network functions were opened up to more competition, and were adapted to novel uses and new services, like Application to user Short Message Service (SMS) services (e.g. for financial information, flight information, password recovery etc.).”

Evolved Intelligence’s systems installed in about 60 operator networks are now seeing around 10 billion SS7 signalling messages every day

One example of a fraud enabled by SS7 hacking would be to intercept a One Time Password sent by a bank within an SMS to a user making a money transfer. The fraudster intercepts the SMS or phone call from its rightful participant. Another usage might be to spoof a user location by sending a fake MAP (Mobile Application Part) update – pretending a user is in a different country – to carry out an IRSF (International Revenue Share Fraud) to premium rate lines.

One additional problem for operators is to identify messages that may appear to be problematic from those that actually are. At the scale and volume of signalling messages operators handle this is a significant effort. For example, Evolved Intelligence’s systems installed in about 60 operator networks are now seeing around 10 billion SS7 signalling messages every day.

Buck said that many operators Evolved Intelligence work with tend to over-estimate the number of problem messages, reporting “problem” messages to be around 0 .5% of messages. 

“The reality is the threat is 10x smaller than that – although that still equates to one message per second per operator round the world.”

With so many SS7 Firewall products on the market – what makes one different from the other? Buck identified three areas where Evolved Intelligence seeks to assert its advantage.

The first is that EI comes from a background of banking and Value Added Services, giving it understanding of anti-fraud processes and systems and also insight into real time subscriber state. In turn, Buck said, that gives it the ability to identify what is a problem and what is not in terms of messages on the SS7 network. A third differentiation is that EI can run its firewalls as managed services, deploying as software on Network Interface Units. This gives a more scaleable and credible architecture, Buck said.