In the wake of recent highly publicized cyberattacks and the increased threat of data exploitation, with the growing demand for protecting network security, Xura participated in a live external webinar with Erik K Linask, Senior Editor,TMCnet.
Our security expert Ilia Abramov discussed recent publications in the press related to the signaling network vulnerabilities and explored SS7 fraud that threatens mobile network security and subscriber privacy. He identified the risks, determined protection scenarios and highlighted important security considerations for LTE signaling network planning.
2. ||
SS7 network security takes the stage
2
• December 2014
Annual Chaos Communication Congress event held in Hamburg
• SS7: Locate Track Manipulate
• Mobile self-defence
• SS7 Map – Mapping vulnerability of international mobile roaming infrastructure
Featured 3 presentations on SS7 security
• Location and tracking of mobile users
• Denial of Service attacks
• Eavesdropping via man in the middle attack – 2G and 3G
• Traffic diversion
• De-anonymization
• Fraud
• Spam
Demonstrated attacks though SS7 interconnects:
XURA SIGNALING FRAUD MANAGEMENT
3. |
Is there a problem?
We Think So…
XURA SIGNALING FRAUD MANAGEMENT
4. ||
Anatomy of signaling exploitation
2
Illegal access to operator HLR
(SRI, Femto cell, ATI, etc.)
Impact
• Loss of subscriber privacy
• Loss of revenue by the MNO
(location tracking service)
Faking of the subscriber profile
(multiple ways)
Impact
• Loss of subscriber privacy
• Subscriber churn
• Legal exposure of MNO up to
revoking of license
Faking of the subscriber profile
(multiple ways)
Impact
• Loss of subscriber privacy
• Impact on A2P revenue due to
compromised 2 layer authentication
Faking of the network element addressing
Impact
• Attack on the other operator network
• Revenue impact (e.g. fake SMSC)
• Exposure of own network element in
the other operator attack
SMS interception
Location tracking of
the subscribers
Voice Call
interception
Spoofing of the
network elements
XURA SIGNALING FRAUD MANAGEMENT
6. ||
Attack motivation
XURA SIGNALING FRAUD MANAGEMENT6
Confidential data
Private and business
conversations
Messaging and data
Most valuable asset
is INFORMATION!
DoS attack on
subscriber
Enforced service
degradation
Service interruption
IRSF calls
Messaging fraud
Grey Routes
Financial
7. | XURA SIGNALING FRAUD MANAGEMENT7
Anatomy of the
signaling attacks
IMSI
Obtain Subscriber IMSI
Fake
Fake subscriber profile
HLR
HSS
MSC
MME
HLR
VLR
i
Receive call
SMS
Data
SRI-SM
ATI
Attacks on subscriber private
communication
Main attack action
8. ||
Mitigation: Technical measures
8
FASG
Keeping one’s network
safe is an ongoing task of
determining & blocking
attacks, to be done by
signalling experts
Can only be automated
partially
SS7 firewall
SMS Home
Routing/Firewall
Monitor to see what kind
of attacks your networks
is exposed to
See the SS7 Monitoring
Guidelines, authored by
RIFS
Filter at the network
edge
Diameter Edge Agent
(DEA) at the edge to the
IPX Network
XURA SIGNALING FRAUD MANAGEMENT
9. | XURA SIGNALING FRAUD MANAGEMENT9
IMSI Harvesting
HLR phishing
HLR/HSS
All security measures make sense
SRI for SM
ATI
Home Routing
STP filtering
IMSI
Impossible to have full IMSI protection
However
12. | XURA SIGNALING FRAUD MANAGEMENT12
Potential IP
vulnerabilities rise in
Telco industry
SS7
SIGTRAN
EPC Diameter
IMP SIP
13. |
Issue Risk Cost
Prepaid Abuse High High
Denial of Service (area) High High
VoIP Originated SS7 Injection Medium High
Financial/charging fraud High High
Privacy Theft Medium Medium
IoT intrusion High High
XURA SIGNALING FRAUD MANAGEMENT13
Attack dimensions
and Impact
Diameter
attacks
occur in
multiple
dimensions
14. | XURA SIGNALING FRAUD MANAGEMENT14
Protecting EPC
signaling network
Ensures 1st hop protection
Challenge: administration nightmare
Does protect from signalling attacks
Enable secure transport for the interconnects
Check packet compliancy
Enforce Diameter message dictionary to the applications
Selectively filter any protocol extensions
Perform address consistency validation
Validate protocol consistency
Collect interconnect signaling data
Analyze detected inconsistencies
Identify the sources
Engage with roaming partners
Monitor and Act
15. |
Protect Legacy
SS7/SIGTRAN
network
•Focus on interconnect first
•GSMA Recommendation
•Signaling Firewall
•Signaling flow monitoring and analytics
Secure design
of EPC
•Ensure external connectivity via secure DEA
•Enable transport security
•Enforce protocol consistency
•Implement Protocol level enforcement
•Signaling flow monitoring and analytics
Ensure signaling
perimeter
control &
monitoring
•Monitoring and analysis
•Protocol enforcement capabilities
XURA SIGNALING FRAUD MANAGEMENT15
Signaling network
protection strategy
16. |
You partner in signaling security
XURA SIGNALING FRAUD MANAGEMENT16
Understanding of
signalling network
architecture and
principles
Years of reliable carrier
grade signalling service
Guaranteed
confidentiality!Revenue assurance
Network audit and
penetration testing
Enforcement of
security policies and
real-time monitoring
17. | XURA SIGNALING FRAUD MANAGEMENT17
Get in touch
Email
contactxura@xura.com
Check out
http://www.xura.com/our-
services/digital-
communications/security
Complimentary white
papers
Looking at the attacks, they are not directly representing revenue leakage, but rather impose a significal risk of loss of valuable customers,
Legal charges and even exposure to the local regulator.
Brand name damage and stimulate adoption of OTT services as preferred way of communication.
These are not bugs of the protocol, but rather exploitation of the capabilities. In good hands it does what it does. But in the bad hands, the tool can be harmful.
3GPP designed core protocol according to the requirements, but the environment was considered friendly and therefore requirements were not focusing on security aspects. While GSM radio links are quite well protected.
Location to mention
Start story from the back
GSMA work to be mentioned.
Implement attack preventive steps. Not only 1st step, but it has to go further to prevention mechanisms of faking and spoofing
Detects and prevents identity theft
Detects and prevents faking and spoofing
Provides insights into the traffic patterns
Detect traffic anomalies
Exposes attackers and their targets
Prevents logical DoS attacks
Important:
User friendly configuration and management interface (intuitive)
Transfer:
One might think that switching off circuit switched networks will also solve the problem
Although the a
attack vectors change, the security measures still need attention.
Man in the middle attack is excluded (IpSec)