Can an entire mobile network be taken down via SS7?

Recently I was asked if it was really possible to take an entire mobile network down simply by sending a few clever SS7 messages to it, and whether there was any documented occurrence of such an event.

Long network wide “outages” do happen from time to time, for example in France in summer 2012, or in Australia and United Kingdom in summer 2014. These outages are usually explained by software glitches or physical issues, and sometimes not at all.

One network wide outage that was clearly due to an SS7 vulnerability recently, was a network wide outage of over 3 hours on the Telenor network in Norway in February 2016 (reported in the Norwegian news). The outage was caused by an SS7 security company that was conducting remote vulnerability assessments without the permission or knowledge of the assessed network Telenor, and sent the Ericsson HLR into a loop because it didn’t support a very rare SS7 message (I have a pretty good idea of which one!) that the security company sent to it over the public SS7 network.

While there clearly wasn’t a malicious intent behind this particular unintentional outage, we can see however that it was possible for a well informed individual to remotely take down a network in another country all over the public SS7 network, ie without any physical access to the target network.

Ericsson has since then patched the vulnerability on the affected Telenor HLR, however you may wonder how many other Ericsson HLRs are out there with the same vulnerability, that haven’t been patched yet, and how many other undiscovered vulnerabilities exist in thousands of Ericsson and other vendor’s mobile nodes that are deployed worldwide and connected to the public SS7 network.