SS7map : mapping vulnerability of the international mobile roaming infrastructure

Presented at 31C3 (2014), Dec. 27, 2014, 11 p.m. (60 minutes).

SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud. The main question of our study is to determine how this insecurity is mitigated by network operator’s action to prevent compromise on both network exposure of infrastructure and privacy compromise of subscribers. It's why we wanted to come out with SS7map. SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud. The main question of our study is to determine how this insecurity is mitigated by network operator’s action to prevent compromise on both network exposure of infrastructure and privacy compromise of subscribers. The goal of SS7map is to provide a global overview by building the first SS7 signaling network world map revealing how vulnerable and exposed are telecom operators and their subscribers. We explain how it is possible for each mapped network to abuse legitimate signalling messages and call flows to discover and fingerprint equipment, intercept SMS messages, and perform massive location tracking of subscribers. More than pure analysis of vulnerability, this map rates and ranks the vulnerability of countries and operators showing discrepancies in the level and type of protection: SCCP screening, SS7 policing, MAP filtering, rate limiting, Network Element security configurations. We then conclude on the direction of signaling security and its current trend and development in the LTE world that shares many similar design insecurities with SS7. SS7map website: http://ss7map.p1sec.com/

Presenters:

  • Laurent Ghigonis
    Laurent Ghigonis is working at P1 Security since 2011. He is involved in SS7 and LTE audits, Network Elements analysis, developing products to scan telecom network and giving security trainings.
  • Alexandre De Oliveira
    Alexandre De Oliveira is Telecom and Network security engeneer. He works especially on the exposure of telecom core network over Internet, harvesting information through proprietary protocols presents on Core Telecom networks. Working at P1 Security since mid 2012, focusing mainly on SS7/SIGTRAN, OAM proprietary protocols and LTE protocols, he also leads on-site pentests, audits missions, trainings and Telecom MBSS on large ISP networks. Alexandre is also part of the Hackito Ergo Sum conference main organizers and was trainer at Hack In The Box 2013 & 2014 about telecom security.

Links:

Similar Presentations: