The Threat of Signaling

Signaling level risks, specially fraudulent access from connected SS7 networks, is one area which is making a lot of noise in the assurance and security functions of telecom organizations today. The focus on the matter is such that most of the industry conferences talking about the current and next gen threats have a lot of matter being presented and shared on this topic – both from the operators and vendors alike.

What are the risks?

The signaling level risks generally refer to SS7 (2G/3G) and Diameter (4G) level vulnerabilities (inherent or configuration based) which expose operators to hacks/frauds through signaling control commands specially in roaming and interconnect scenarios. The scenario becomes more risky considering a normally configured SS7 infrastructure of an operator is accessible to any other operator in this world, either directly or through a certain number of hops.

Now, just consider a situation where a rogue operator exists or a group of hackers with a malicious intent have got access to SS7 signaling of any less-secure operator.

The losses due to signaling risks, while are still quite speculative, are expected to run to billions every year. Artificial inflation of traffic (specially A2P & P2A SMSes), spamming, spoofing, refiling, profile modification, and unlawful tracking are all current and real problems.

The SS7 signaling based vulnerabilities have been existing since very long, but have become part of news headlines recently due to certain revelations made by famous ethical hackers at certain high profile security conferences.

Some industry pundits make a point, which most of my industry connections agree with, is that these risks exist mostly due to the fact that operators tend to create unreliable partnerships and configure unregulated access (like open GT access, acceptance of any signaling command etc.) which enables malicious parties to connect to networks and conduct fraudulent activities very easily.

There have also been discussions around existence of services exploiting these signaling level vulnerabilities being offered in the grey markets through rougue hacking communities for a price.

Can you eradicate these risks?

Ideally, operators should sanitize access configuration on SS7. They should rethink, reidentify, reevaluate and reconfigure access levels. But this is really difficult to achieve due to practical issues, such as:

  • Most of the SS7 networks were configured years ago. Operators may lack the expertise to reconfigure them.
  • Configuration is a time consuming activity. When coupled with re-testing connectivity with all network partners, it is also costly.
  • Reconfiguration may require network downtime – which is a complete no-no for a lot of telcos. This situation becomes even more problematic for countries where networks must comply with national obligations regarding uptime.

Just one infected, insecure or rogue operator poses a threat to everyone else. Sanitizing every operator is a feat which is very unlikely to be achieved. However, SS7 signal based networks are here to stay (at least for another 10 years in developed markets, and 20-25 years in developing countries).

As operators adopt 4G, fraud and security functions face the challenges of working with networks that use the Diameter signaling protocol. Diameter does not have native security standards built in. Security mechanisms must be implemented on top, which leaves open the possibility of gaps in security. Diameter access methods are similar to SS7, exposing 4G networks to similar risks as SS7.

What can be done now?

For now, implementing detection controls will help to address vulnerabilities whilst we await more permanent solutions. Even detecting malicious signaling requests involves involves some complexity:

  • High false positive rates. A lot of signaling requests that appear to be malicious may be the result of configuration mistakes by partners.
  • Sheer size of signaling data to be analyzed. Big Data support is vital.
  • Lack of skills. It would be challenging to upskill fraud and risk management teams so they can undertake this task. Even security teams would find it difficult to add this activity to their responsibilities.

I feel the correct approach is that telcos enter into partnerships with vendors who possess the domain knowledge, skills and Big Data technology. Because nobody had the complete answer for signaling vulnerabilities, these partnerships should be both liberal and experimental, in order to leave room for exploration.

This article was originally published on the Subex blog. It has been reproduced with their permission.

Abhijeet Singh
Abhijeet Singh
Abhijeet is a Principal Consultant at Subex. He specializes in telecom fraud management and his experience covers fraud operations management, consulting, risk and health assessments, business development and analytics. Outside his professional life, Abhijeet is a blogger, tech enthusiast and a traveler.