The mobile world is moving to 5G. However, there are billions of subscribers who still use old 2G and 3G networks. These networks rely on the SS7 (Signaling System #7) protocol stack that was developed in the 1970s. The SS7 stack was supposed to be used as an isolated network within a small club of large telephone operators, so nobody thought about upper-layer security mechanisms. Further development of SS7 brought the possibility of sending signaling traffic over IP networks. Thus, the SS7 stack got vulnerabilities "by-design" that allow an external intruder to perform such attacks as location tracking, service disruption, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA - the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks.
Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update.
In this presentation, I will demonstrate how an intruder can use new SS7 vulnerabilities to bypass security tools. I will explain why it is possible and how network equipment reacts to malicious traffic. In addition, I will give recommendations to operators on how to make their networks more secure.