The problem of signaling network security has moved from a theoretical threat to one actively used by criminals in the wild. According to data collected by Positive Technologies, these criminals are able to monitor the location of mobile subscribers, intercept calls, bypass billing systems, and block users. One client, a major mobile operator with tens of millions of subscribers, faces a daily onslaught of more than 4,000 cyberattacks in signaling networks.
SS7 cybersecurity monitoring was performed by Positive Technologies for major mobile operators in Europe and the Middle East. Threats such as fraud, disruption of subscriber service, and interception of subscriber traffic (including calls and text messages) totaled less than two percent of attempts. However, it is these threats that pose the greatest danger to subscribers. In particular, the researchers found that 100 percent of attempted SMS interception attacks were successful.
Use of SMS for two-factor authentication means that if a hacker is able to access a subscriber's text messages, they can go on to compromise accounts for online banks, stores, government services, and much more. In one such attack in 2017, text messages to subscribers of one German mobile operator were intercepted, which enabled the attackers to steal money from the subscribers' bank accounts.
Fraud against operators and subscribers is also a growing threat. Many fraud-related attacks (81 percent) involve sending USSD requests without the subscriber's authorization, with around a quarter proving successful. Such requests make it possible to transfer money from a subscriber's account, sign the subscriber up to an expensive premium-rate service, or send phishing messages that claim to be from a trusted party.
The report draws upon 24 security projects performed in the 2016–2017 period on SS7 networks of mobile operators in Europe and the Middle East. Half of these operators have a subscriber base exceeding 40 million people.
Virtually every network allowed eavesdropping on conversations and reading incoming text messages. Fraud was possible on 78 percent of networks. All networks contained dangerous vulnerabilities with which an attacker could disrupt subscriber access to services.
“Operators are waking up to the risks and starting to act: all the networks we tested in 2017 had a SMS Home Routing system. One third of networks had a system for filtering and blocking signaling traffic,” said Dmitry Kurbatov, CTO at Positive Technologies. “This remains only a stopgap measure at best, however. Every network today is vulnerable, whether due to equipment misconfiguration or architectural shortcomings of SS7 signaling networks, which cannot be fixed with the options currently available.”
As the report concludes, only a comprehensive security approach can minimize these business hazards: regular network audits, proper network configuration, non-stop monitoring of signaling traffic, and timely detection of illegitimate activity are essential components of any successful security strategy.
The full version of the report is available at the following link: https://positive-tech.com/research/ss7-vulnerability-2018/