Signalling threats: SS7 and beyond – part two

Following our last blog piece on the current situation in signalling networks and who is being affected, this time we take a look at the signalling protocols used in telecoms networks that are being attacked. There are a number of different signalling protocols used in telecom networks. From a security perspective, each of them has their own idiosyncrasies to consider.

The SS7 protocol was designed in the 1970’s for a small, trusted set of national telecom operators. It has limited built-in security and lacks end-to-end authentication. In the early days, the main adversary was lack of bandwidth and computational address space. The goal was just to find a reliable and practical way of relaying data between network entities. The SS7 network itself could be likened to a private network where all peers are known, and every connection assumed to be friendly. In many ways, the naivety of the early IP networks has lingered in the global signalling network, and we are only now waking up to the reality that has been present in IP networks for decades.

Many of the issues found in legacy SS7 networks persist in LTE over Diameter. Some of them have in fact been amplified through this evolution, and additional risks and security issues have emerged as a consequence. The parallel worlds of SS7 and Diameter both rely on a few fundamental concepts. A subscriber is enrolled in the global rolodex of the network known as the HLR/HSS (Home Location) and for every location (MSC/MME) the subscriber visits, the HLR/HSS is queried and information transferred regarding the subscriber’s subscription plan details, current location and available services.

In SIP, there is a higher degree of maturity when it comes to filtering, rate limiting and security in general. Many lessons have been learnt through the widespread use of freely available platforms and open source development. Penetration testing tools and SIP compromise tools have been publically available and heavily used by security researchers and attackers for many years. This does not mean that SIP is completely secure, but it does place it in a slightly different and more mature category than SS7 and Diameter. There has been SIP Firewalling available in varying degrees for some time, although not always specifically geared towards VoLTE.

From a security research perspective, the GTP control plane (GTP-C) appears to be less of a target than SS7 and Diameter. Researchers and security analysts have not been able to compromise GTP to the same extent as SS7 or Diameter, plus GTP firewalls have been on the market for some time. Most of the attacks on GTP have been speculative, and while there are open GTP ports on the public internet, there have been few reports of actual compromise.

Check in for the next blog to see what countermeasures can be put in place to protect these networks against attacks.

Originally posted on www.symsoft.com, find out more about Symsoft’s rebrand to Sinch in the press release here.