SS7 Attacker Heaven Turns into Riot: How to Make Nation-State and Intelligence Attackers' Lives Much Harder on Mobile Networks

Presented at Black Hat USA 2017, July 26, 2017, 1:30 p.m. (50 minutes)

The SS7 mobile vulnerabilities affect the security of all mobile users worldwide. The SS7 is signalisation between Mobile Operators Core Network about where your mobile phone is located and where to send media, so the secured end-device does not help here, as it is only a consequence of having legitimate SS7 traffic. To protect against SS7 vulnerabilities, you need to play at operator-level. And this was not really the kind of thing you could do up till now.

Let's change this. In this talk we propose methods that allow any operator in the world - not only the rich ones - to protect themselves and send the attackers' tricks back to the sender. What if SS7 became a much more difficult and problematic playground for the attacker?

In this talk, we will discuss the current status, possible solutions, and outline advanced SS7 attacks and defenses using open-source SS7 firewall which we will publish after the talk. The signaling firewall is new, so we will not only use it to reduce the vulnerabilities in the SS7 networks, but we also show how to trick and abuse the attackers to make the work much harder for attackers, and give them a hard time interpreting the results. Intelligence agencies love SS7 for the wrong reasons. We will show examples and how we can make eavesdropping and geolocation a nightmare for these nation-state attackers.

The adoption of such signaling firewall could help to reduce the exposure for both active and passive attacks on a larger scale. We will present the capabilities of this solution including the encryption of signaling, report the attacks to central threat intelligence and forward the attackers to honeypot. So what about to find where these SS7 attacks are coming and to start protecting the networks?


  • Philippe Langlois - Security Researcher & CEO, P1 Security
    Philippe Langlois is an Information Security worldwide expert in Network and Telecom with more than 20 years of experience in telecom and network security. He successfully founded several industry-leading companies in security including Qualys (US, NASDAQ: QLYS), INTRINsec (FR), WorldNet (FR), WaveSecurity (US), TSTF (EU) and P1 Security (FR). He conducted security missions such as audit, pentest, hardening, vulnerability analysis, risk analysis and threat intelligence in Telecom and Network domains. Philippe defined new methods and created appropriate tools to audit SS7, IMS and SIGTRAN networks through heavy R&D work. He led world-class pioneering work in vulnerability assessment product development such as in Qualys and INTRINsec. He also led the development of a number of complex system architectures in security products, ASP services and ISP/MSP infrastructures, and built and motivated international engineering teams, around security products and services.
  • Martin Kacer - Core Network Security Researcher, P1 Security
    Martin Kacer is Core Network Security Researcher performing security services and trainings for mobile operators. Contributor to GSMA (e.g. Diameter message categories) and to wireshark project. In past working for telecom operator on core network and latter on security department with focus on protection of the telecom network against signalization attacks. More than 15 years of experience with telecom signalization, protocol stacks, designing the signaling IDS, signaling firewall, fraud detection and also in past developing network elements and signalling probes.


Similar Presentations: