Proud Host of GSMA WAS#4. October 31st - November 3rd 2016. Find out more...

The SS7 network needs its own secured borders

  • Published 26th March 2015

SS7 is a very sturdy protocol for mobile network signalling control. The layers are well-defined with exact procedures dealing with redundancy, robustness, alternate routing and load-sharing all designed in from the start.

Noticeably absent from the specifications, however, is reference to security measures, perhaps signifying the size and level of trust amongst the MNO community when the SS7 protocol was introduced and developed over 40 years ago.

SS7 holes in the GSM/UMTS networks were recently published and are indeed very serious – unauthorised and undetected intercept of voice, data and SMS communications, street-level location tracking, exposure of the encryption keys used on the air-interface and denial of service attacks amongst others.

No doubt, governments are bringing pressure upon the MNOs as evidenced by the US Congress and some European operators who have been in discussions with government agencies regarding these security threats.

MNOs need to react swiftly to secure their SS7 network borders to protect their subscribers, whilst also allowing the movement of genuine visitors and interconnect traffic across these secured borders.

However, notwithstanding the many good qualities of SS7 around robustness and resilient routing, it is unfortunately not possible, nor is it pragmatic, to design or retrofit security into the SS7 transport protocols.

Such a process, even when defined, would take years to implement and result in an enormous amount of disruption. Redesigning the network to use IP-related security (e.g. IPsec, TLS) is also not a practical option. Thus, other approaches are needed.

In my opinion, the only practical approach is to introduce SS7 firewalls at the network borders to closely monitor and detect any fraudulent activity traversing said borders.

A sophisticated SS7 firewall will act as a ring of steel blocking fraudulent attacks in real time. Fortunately, some element of SS7 firewalling has already been deployed as SMS firewalls in the mobile networks to counteract SMS fraud and spam. It is estimated that approximately 50% of network operators today have deployed an SMS firewall.

A common and key technique of SMS firewalls is home routing, which ensures the protection of the key sensitive subscriber identity known as the IMSI, as well as the network node addresses serving the subscriber. Firewalling SMS alone is not enough, as in all of the recently publicised attacks the IMSI identity has been learned as a result of it being exposed across the network border.

It is my view that other detection and protection techniques supplemental to home routing are now necessary in a firewall in order to achieve that “ring of steel”  for the signalling network border, given that fraudsters will constantly attempt to expose weaknesses, for example to initiate Denial of Service as well as brute force attacks.

The SS7 firewall design challenge is to protect against vulnerabilities whilst at the same time allowing the network to support genuine roaming and interconnect traffic flows. In addition to the firewall technology itself, a high degree of SS7 knowledge is crucial to the SS7 firewall deployment design to avoid unnecessary and disruptive changes to other network nodes as well as to peer networks.

SS7 is only understood by very few people and companies worldwide. The above-mentioned techniques developed for SS7 firewalling will require this expertise to be harnessed.

The quicker the industry can work together to achieve this, the quicker we can ensure that this mobile network for global P2P and M2M communications continues as a trusted media for all citizens.

 

John Murtagh
CTO, Anam Technologies