Will Telcos Be Forced to Secure SS7?

Unless have been sleeping a long time, you know that SS7 relies on trust. The assumption is that legitimate telcos are using SS7 to send signals to each other. Problems occur when rogues take advantage of that trust, possibly to spy on people. (If you need a quick refresher about SS7’s security weaknesses then I recommend you take a look at this article by Don Reinhart of LATRO.) Though the issues have not changed for a long time, because SS7 has been around for a very long time, telcos are being increasingly asked to do something about these security and privacy risks. Earlier this month US Senator Ron Wyden wrote letters to the bosses of AT&T, Sprint, T-Mobile US, and Verizon, asking what they were doing about addressing SS7 vulnerabilities. He argued it was in their commercial interest to talk about the issues.

If wireless carriers were more transparent about the severity of SS7 vulnerabilities and their progress in defending against such attacks, the market could reward those companies who have the most secure networks. Just as carriers openly compete on the speed and reach of their networks, they should also be competing on cybersecurity.

Wyden has agitated for better SS7 security before. In March he penned a joint letter with Representative Ted Lieu that asked what the US Department of Homeland Security (DHS) had done to stop SS7 weaknesses being exploited by “foreign governments, hackers and criminals”. They even questioned what the DHS was doing to promote consumer awareness of the risks:

Congress has been sounding the alarm about SS7-enabled surveillance for a year. What steps has DHS taken to make the public aware of these threats?

One problem faced by such well-meaning campaigns is that they are better at causing alarm than identifying real victims. A committee of the Federal Communications Commission (FCC), the US comms regulator, has observed that “the overwhelming amount of SS7 traffic is legitimate”. Telcos should be wary of implementing solutions that negatively impact customers, as might be the case if filtering technology slowed performance.

The other problem faced by privacy campaigners is that governments seem to hate SS7 vulnerabilities when it means their citizens are being spied upon by foreigners, but they love the same vulnerabilities when the government is doing the spying. Though press articles like to imply SS7 weaknesses are being exploited by everybody from Russian mobsters to your neighbor’s aunt, the people most likely to have the resources and motive to abuse SS7 will be national security and law enforcement agencies. For them, SS7 can be a great way to monitor targeted individuals all around the globe. So it is not as if these people will go out of their way to secure funding for the development and widespread distribution of cheap general-purpose solutions to SS7 weaknesses.

The next question to ask is whether such solutions exist. The answer is yes-and-no. Firewalls are not perfect, but they are probably sufficient to stop the attacks actually being implemented in practice. Security researcher Karsten Nohl said as much when Wired asked him what telcos should do to address SS7 weaknesses. However, if you want to protect unencrypted text like SMS messages, then an obvious solution is to encrypt comms from end-to-end, and that is why advising customers about encryption is mentioned amongst the list of SS7 security recommendations issued by the FCC in August. And now we should remind ourselves about who are the biggest opponents of universal end-to-end encryption: governments, and the security and law enforcement agencies that work for them.

Though it makes for good newspaper headlines, some of the scams now being blamed on SS7 failings could have been implemented using much more basic techniques. German newspaper Süddeutsche Zeitung recently reported (in German) about a scam where hackers stole money by obtaining all the relevant details for the victims’ bank accounts, then exploited SS7 to intercept the authorization codes sent by SMS. Those of us who work in the telecoms industry know that the same codes could also have been obtained using some version of ‘SIM swapping’ – the practice where criminals use deceit to trick telcos into issuing them with a new SIM for an existing customer’s phone service. Securing SS7 would stop one way of intercepting of text messages, but not all the other ways that criminals can use to read the messages sent by banks to a phone number. Süddeutsche Zeitung implies the blame lies with telcos, rather than the banks that overly rely on telcos to provide two-factor authentication for their services:

Der Hackerangriff bringt vor allem internationale Telekommunikationsanbieter in Erklärungsnot, da die ausgenutzte Schwachstelle seit Ende 2014 öffentlich bekannt ist. Bereits damals wurde gewarnt, dass es für motivierte Kriminelle ein Leichtes sei, auf diese Weise Geld zu klauen.

Die Branche hatte ausreichend Zeit, um das Problem zu lösen. Doch anscheinend versteht sie erst allmählich, wie lukrativ dieser Weg für Hacker sein kann.

The hacking attack is a particularly acute problem for international telecommunication providers, as the exploited vulnerability has been public knowledge since the end of 2014. They were warned how easy it is for motivated criminals to steal money this way.

The industry had plenty of time to solve the problem. But apparently it only gradually understands how lucrative this method is for hackers.

Maybe so, but WhatsApp is secure and free. What stops banks using encrypted comms between them and the customer’s phone? The main issues are convenience and universality. They do not want to ask customers to download a secure app, and not everybody has a smart phone. So telcos get the blame for over-reliance on their infrastructure instead, even though nobody designed SMS messaging with the intention that it should be any more secure than a postcard. It is especially galling that Germans lack the sophistication to grasp the difference between the security of a message and the security of the means of communicating a message. The East German Stasi employed thousands to steam open envelopes, copy the letters inside, then reseal them. Earlier in history, Germany lost World War 2 because the British used computers and maths to crack German codes. It beggars belief that technologically astute Germans believe that privacy solutions should focus on making the metaphorical equivalent of tamper-proof envelopes, whilst doing nothing to stop the secrets inside from being written in plain, unencrypted text.

There will be continued grumbling about the frailties of SS7, but I expect there will not be any real pressure to invest in improvements around an old and familiar technology that telcos will need to keep supporting for the sake of interoperability. We let fraudsters in foreign countries get away with much simpler crimes because nobody can be bothered to prosecute them. Securing SS7 is a good idea, but there are many ways to improve security, and everybody in this argument is trying to avoid taking any of the burden themselves because it is cheaper to get somebody else to pay for security.

Banks could implement more secure ways of interacting with customers, whilst reducing reliance on telcos. Customers could do more to protect themselves. Governments could spend taxpayer’s money on protecting them from surveillance, perhaps by cutting the budgets they give to government spies. And telcos could certainly do more, but arguably they have least incentive.

Secure end-to-end encryption is both effective and cheap. Having no encryption is also cheap. The expensive security options involve protecting people when the government says they should be protected for their own security, but not protecting them when the government says spying is vital for security. This debate could go around and around, with everybody keen to find fault with everyone else, but nobody really motivated to find, and fund, a solution that works for all.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.