SS7-based attacks still used to fraudulently deplete bank accounts

We had previously discussed real-world for-profit SS7 attacks that successfully helped deplete consumer bank accounts in Germany in an article in early 2017.
The SS7 part of the attack consists in intercepting 2FA tokens that are being sent by the bank to the customer’s phone via SMS, so that these tokens can be used by the attacker to validate outgoing online wire transfers initiated via online banking (a function commonly available in online banking interfaces outside the United States).

Now, two years later, one would expect that with wide ranging deployments of SS7 firewalls, such attacks would no longer be possible, at least not in developped countries which were among the first to implement countermeasures (the European Union mandated that operators protect their SS7 interconnects as far back as 2015).

Unfortunately, the reality is different, as reported recently by an article in Motherboard: Motherboard reports that bank accounts at the UK’s Metro Bank were recently depleted by attackers using SS7-based attacks against one or several UK mobile operators. This is particularly suprising consider that all mobile networks in the UK have already deployed on-premises SS7 firewalls, but consistent with reports from leading firewall vendors that fraudulent SS7 traffic is on the rise year over year.

This incident reminds us of two things:
– not all SS7 firewalls are created equal, and mobile operators ought to test that their firewalls are protecting them even against more elaborate Category 3 attacks, which this one falls under.
– mobile networks need to be tested on a regular and continuous basis, to ensure that protection remains in place over time. All too often, we see firewall rules being altered or dropped inadvertently several months after a firewall is deployed into a mobile network, and without regular external testing, it is nearly impossible to catch such an error until it is exploited.

The Telecom Defense Limited Company’s remote SS7 penetration test is able to test a mobile operator’s network quickly and inexpensively against all SS7 attack scenarios, including Category 3 attacks such as this one.

Of the importance of ONT vulnerability testing

Many operators who provide not only mobile but also fixed services to their subscribers are deploying FTTH (Fiber To The Home) services where the subscriber connects to the operator’s fiber network using an operator provided ONT (Optical Network Terminal). From a logical point of view, the ONT is similar to a DSL modem connected to a wireline network, and provides the customer with Internet access through the operator’s network, as well as optional additional services (such as IPTV).

In a recent engagement conducted for a North American carrier, a vulnerability assessment was conducted by The Telecom Defense Limited Company against the ONT device (manufactured by a mainstream vendor) deployed by the carrier at each subscriber’s residence.
A vulnerability was discovered in the ONT’s configuration which lead to the auditor accessing the entire management network of the carrier through the ONT. On the management network, management interfaces of several billing nodes and IP switching and routing nodes were reachable.
After further work, it was possible not only to access/compromise billing nodes (exposing billing records, customer CPNI, and possibly allowing for modification of billing records) but also to gain administrative access to the core IP router (again from a mainstream vendor) enabling a potential total DOS of the network as well as customer data traffic interception.

The above example illustrates how important it is for an operator not only to test the external interfaces of its network against vulnerabilities, but also to test any devices with privileged access to the network, such as ONT devices, DSL modems or Femtocells, to ensure that these cannot be used by an attacker as a bridge into a privileged area of the network where a wide ranging attacks can be executed.

The Telecom Defense Limited Company’s ONT vulnerability assessments are unique in the industry, because they used advanced hardware attack methods (such as physically extracting firmware from onboard EEPROMs) when necessary, in order to attempt and compromise ONT devices. This allows us to compromise devices that have been previously declared secure by traditional interface based tests.

How “IT” vulnerabilities can contribute to SS7 vulnerability exposure

In a recent blog post, we explained how it wasn’t sufficient to block SS7 attacks that allow attackers to obtain a subscriber’s IMSI (GSMA Category 1 vulnerabilities) in order to keep a network secure from further SS7 attacks. This is because many other ways exist to obtain a subscriber’s IMSI besides obtaining it via SS7.
Today we illustrate this idea by showing one more way attackers are obtaining subscribers’ IMSIs to potentially conduct subsequent Category 2 and 3 SS7 based attacks. The following video posted by hackers on Youtube, shows how an IT vulnerability in T-Mobile USA’s Internet facing infrastructure allowed attackers to harvest IMSIs for any T-Mobile USA subscriber. While the vulnerability has since been remediated by T-Mobile, it reinforces the idea that security by obscurity is not viable when it comes to defending against SS7 Category 2 and 3 vulnerabilities. And also that a mobile operator can never do enough FQDN penetration tests, ie penetration tests on its IT infrastructure.

The Telecom Defense Limited Company launches SS7 Cloud Scanner

The Telecom Defense Limited Company, a leading mobile network security consulting firm based in USA, launches the SS7 Cloud Scanner, a web-based SS7 penetration testing tool allowing mobile operators to easily test their SS7 defenses.

When mobile operators worldwide assess their networks for SS7 vulnerabilities, remediation work usually begins swiftly, starting with simple filtering rules that can be implemented on existing mobile network nodes or STPs, particularly against Category 1 SS7 vulnerabilities. Later, the process moves towards the deployment of a full-scale SS7 firewall, which is required to fully protect a network fully against all Category 2 and Category 3 vulnerabilities.

During this time, engineering staff is often operating blindly, changing filtering rules for SS7 messages that impact live subscriber traffic and relying on future traffic logs to determine if the filters are triggering properly. Sometimes, live subscriber traffic is affected and filters have to be rolled back.

The Telecom Defense Limited Company’s SS7 Cloud Scanner is a new product that allows mobile networks to generate SS7 messages towards the external interface of their networks, in order to accurately simulate messages from an attacker, and conclusively verify if vulnerabilities exist and/or if filtering rules are triggering.

The service is web-based and accessible through a standard Internet browser, and provides all SS7 connectivity, including global title identities from appropriate roaming partner sponsors, to generate incoming SS7 messages towards a mobile network.

SS7 messages reach the network through its SCCP carrier, and traverse all potential SS7 defenses just like messages from real attackers would. Unlike ruleset simulators or network internal traffic generators, this provides a fully reliable and conclusive way to test defenses.

Periodic testing of defenses is also important after an SS7 firewall has been deployed, particularly after each rule change, to ensure that no previously working defenses have been disabled.

This service has been created in response to several customer requests” says Jean Gottschalk, Principal Consultant of The Telecom Defense Limited Company.

While the service does not replace periodic external penetration testing by experienced auditors, many operators have reached a maturity level where they have one or more SS7 security specialists on staff that are able to design and managed filtering rules. The SS7 Cloud Scanner, which is similar to the tool used by The Telecom Defense Limited Company’s own auditors, allows these in-house specialists to perform adhoc checks with a lightweight and cost effective solution that requires no deployment or infrastructure inside the client’s network.

Unlike other SS7 penetration testing tools available, the SS7 Cloud Scanner requires no deployment, connectivity or infrastructure in the customer network, and provides a realistic approach by ensuring that all SS7 messages reach the network through external international roaming connections” adds Jean Gottschalk.

The SS7 Cloud Scanner is also available to country regulators with a need to periodically verify compliance of local operators to the country’s SS7 security guidelines or laws.

Mobile operators should contact The Telecom Defense Limited Company or their local VAS to discuss licensing the SS7 Cloud Scanner.

“Security by obscurity” not viable when it comes to SS7 vulnerabilities

As the awareness around SS7 vulnerabilities in mobile networks increases, thanks in good part to the work of the GSMA’s Fraud and Security Group (FASG), we find in the last few SS7 vulnerability tests that we conducted, that more operators are blocking Category 1 SS7 vulnerabilities, while not blocking anything else.

Category 1 vulnerabilities cover, among other things, the ability for an attacker to resolve a subscriber’s IMSI knowing only the subscriber’s phone number. The IMSI is in turn required to conduct most subsequent attacks such as call interception or SMS interception.
Category 1 vulnerabilities are usually easy to block with the most popular STPs, and while this is a step in the right direction, some operators falsly believe that their networks are safe from further attacks, because IMSIs cannot be resolved by attackers.

Attackers, including foreign intelligence agencies, have long been known to acquire IMSIs by using some of the following non-SS7 based method:
– following the target with a passive or active IMSI catcher
– getting physical access to the target’s phone for a short time, for example at a bar, nightclub or restaurant
– snooping on SCCP roaming signaling traffic, for example through leaks or attacks at SCCP carriers. An interesting story on the subject can be found here.

But in light of several recent massive leaks of MSISDN <-> IMSI lists in various countries, which are later found and brokered on the dark web, we would like to attract operators’ attention to a lesser known SS7 based method for building a MSISDN <-> IMSI list for an entire subscriber base.

The method relies on the MAP message RestoreData, which is used when an MSC has lost the profile for a subscriber that is still actively attached to the MSC, and the MSC must request a new copy of the subscriber profile from the HLR. This message can only be filtered with stateful, Category 3 type SS7 firewalls and often receives little attention in vulnerability assessments and remediation efforts. We have not seen any HLRs of any major vendors that are currently filtering this threat appropriately, even when expensive additional SS7 security packages are deployed.

A typical operator has a 6 digit MCCMNC, leaving 9 random digits in an IMSI for assignment to subscribers. By inspecting a sample of the operator’s SIM cards (from retail purchase at a few different outlets, including any MVNOs or sub-brands), this number range can often be reduced to 8 or less digits, particularly in smaller countries.
This gives us a maximum number of unique IMSIs of 100 million, possibly less.

Using the RestoreData message, an attacker can now sequentially request the profile for each possible IMSI from the HLR via SS7, starting with XXXXXXX00000000 all the way to XXXXXXX99999999. The first MSU sent by the HLR in answer to a RestoreData message generally contains the MSISDN, so that the operation can then be silently aborted to minimize the number of MSUs sent.
“Scanning” in this manner an 8 digit range of IMSIs would therefore only require 100 million MSUs to be sent in each direction.
If we assume that 10 MSUs per second is a “safe” packet rate for an attacker to stay under the radar, it would take 116 days of continuous scanning to build a full list of all subscribers’ IMSIs.
If the rate can be increased to 100 MSUs per second, the “scanning” of the entire subscriber base would only take 12 days. Less is the variable IMSI range can be narrowed to something smaller than 8 digits long.

Would an operator whose only SS7 security is STP based filtering of Category 1 messages notice such an attack, even at a speed of 100 MSUs per second? That would be a question for each operator’s security team to answer…

US Senate turning up the heat on US mobile operators to secure SS7 vulnerabilities

As reported by the the Daily Beast, Senator Ron Wyden of Oregon sent letters to all 4 US mobile operators last week inquiring on the steps they have taken to secure their networks against SS7 based vulnerabilities.

In the letter, Senator Wyden presents SS7 penetration testing as an effective way to learn the extent of the vulnerabilities existing in each network, and questions if operators are cooperating with the Department of Homeland Security to have such tests conducted. He also suggests that GSA (the General Services Administration which is responsible for all US government services RFPs) should be allowed to conduct SS7 vulnerability assessments of a mobile network prior to awarding it US government contracts, a novel but logical idea.

This new wave of government scrutinety will hopefull contribute in securing the US critical telecommunications infrastructure from SS7 and Diameter based attacks for good, just like other countries worldwide have been securing their own critical infrastructure in the past few years.

Google pushing users away from insecure SMS two factor authentication

Google recognized some time ago that two factor authentication by SMS is insecure, due to the possibily of the SMS being intercepted, in particular using SS7-based attacks. Google had introduced an alternative 2FA system based on software built into its Android operating system (or via the Google Search app on IOS) some time ago.

According to various media reports, in the coming days Google will start pushing users with SMS-based 2FA towards the new software based 2FA system to take SMS tokens and the associated risks out of the picture.

This is presumably in response to an increased number of SS7-based SMS token interceptions, which can result in Google email account takeovers by attackers.

The National Institute of Standards and Technology (NIST) had issued a guideline a year ago suggesting that US federal government agencies move away from SMS-based two factor authentication which is deemed insecure.

SMS token interception is part of the 30+ test cases covered by the  Telecom Defense Limited Company’s remote SS7 vulnerability assessment performed on mobile networks.

SS7 access now sold to the public on Tor

According to a recent article from The Verge, services using SS7 vulnerabilities, as well as a full unlimited SS7 connection, are now available for sale to anyone on Tor, .

While geolocation services have long been sold on a per query basis by companies like Verint or Circles, these companies were making a legitimate effort to sell exclusively to law enforcement agencies.

Screen_Shot_2017_06_13_at_1.40.47_PM

The Tor website at the address zkkc7e5rwvs4bpxm.onion however is selling not only geolocation queries, but also the ability to perform SMS interception or call interception, and these services are available to anyone with a credit card (and who can find the website), law enforcement or not.

According to Thomas Fox-Brewster, journalist for Forbes who covers issues around security and privacy, including SS7 vulnerabilities, and who interviewed the owner of this site some time ago, the services offered may not exist though, and the purpose of the site may simply be to scam buyers.

If the service offered is real however, this newest development could explain why we are now seeing SS7 attacks conducted by hackers for profit, such as the recent SMS intercept attacks in Germany, since this type of website would take the art of obtaining usable SS7 connections out of the equation for criminals.

 

First reported for-profit SS7 attacks

Security experts agree that malicous attacks are more likely to be perpetrated when a potential financial gain exists for the attackers. This is why our remote SS7 vulnerability assessments and SS7 vulnerability trainings make a point to show operators the gain that attackers can derive from each attack vectors, including the possibility to steal SMS-based tokens (also called TANs) used by banks in certain countries to provide two factor authentication to execute wire transfers.
Sueddeutsche Zeitung has just reported a series of sucessful attacks that took place earlier this year and resulted in multiple fraudulent wire transfers from bank accounts of German consumers.
More on this story, including comments from The Telecom Defense Company’s Principal Consultant Jean Gottschalk, can be found in an article published today by Security Week.

FCC releases long awaited CSRIC WG10 report on SS7 vulnerabilities

The report on vulnerabilities and risks inherent to the Signaling System #7 (SS7), which was ordered by the FCC from a specially formed group (CSRIC Working Group 10) thanks to the efforts, amongst other, of Congressman Ted Lieu, has finally been released.
A copy of the report can be downloaded here.

The working group aknowledges the vulnerabilities that are long known to exist in the SS7 network, and urges operators to follow the recommendations of the GSMA on adressing them. GSMA’s recommendations include among others the performing of regular external vulnerability assessments, as well as the implementation of specialized SS7 firewalls.
The working group also aknowledges that attacks on the SS7 network have taken place, and advocates end-to-end encryption as a potential permanent solution for subscribers, although the intelligence community typically sees strong encryption as a double edged sword.

Finally, the report points to Diameter signaling, which is intended to one day fully replace SS7, as an area of potential future concern, as well as potential vulnerabilities in ANSI-41 signaling and SIP signaling.

The Telecom Defense Company’s remote SS7 and Diameter vulnerability assessments can help operators identify and quantify the actual vulnerabilities that exist in their networks.

World-First SS7 Intelligence Report

While 2016 has seen a lot of attention from telecom regulators on the subject of SS7-based vulnerabilities, and some mobile operators have begun securing their networks, the vast majority of worldwide mobile networks remain vulnerable to SS7-based attacks against their subscribers. Using the SS7 network, an attacker can accurately geo-locate mobile phone, intercept text messages, record phone conversations and much more on unprotected mobile networks.

The Telecom Defense Limited Company’s SS7 intelligence report, updated monthly and sold via annual subscription, provides a mobile operator or regulator with valuable information regarding the identity of currently active attackers on the SS7 network, new attackers, volumes of attacks and trends, origins, types and signatures of attacks.

The reports are produced using anonymized SS7 metadata provided by various partner mobile operators around the world, which creates a representative and realistic picture of the worldwide threat landscape and its trends month after month.

The monthly report contains:

  • Current list of GTs originating malicious SS7 traffic
  • Correlation between attacking GTs and patterns
  • Types of attacks per GT
  • Activity patterns
  • OSINT information on the originating networks to help determine possible attribution
  • Volume of activity and trends

A similar report for the Diameter-based threat landscape is currently under development, and will be made available to customers in the near future.

Forward Defense and The Telecom Defense Limited Company sign regional strategic partnership

2016 has seen a lot of media attention towards SS7-based vulnerabilities that exist in worldwide mobile networks. These vulnerabilities allow attackers, including bad actors and foreign intelligence agencies, to accurately geo-locate nearly any mobile phone, intercept text messages, record phone conversations and much more.
Pushed by regulators and public attention, mobile network operators in several world regions are finally addressing these issues and securing their networks. GCC regulators are no exception and increasingly mandate that mobile network operators in the region quickly re-mediate these vulnerabilities.

The strategic partnership between the two companies now makes cutting edge resources, knowledge and methods to discover and re-mediate SS7 vulnerabilities available in the region directly through local GCC representation for the first time. Through the partnership, Forward Defense is adding the following to its already extensive offering in terms of IT security, training and penetration testing:
– Remote SS7 vulnerability assessments, conducted through the public roaming SS7 interface, to replicate most accurately the attack surface available to a third party attacker.
– Deep technical trainings on SS7 vulnerabilities and how to re-mediate them, both for mobile operators’ technical teams and local regulators. Lead consultants and security researchers from The Telecom Defense Limited Company are typically mobilized locally to deliver these very interactive training sessions.
– Assistance with RFPs and procurement of SS7 Firewall solutions to re-mediate vulnerabilities. Firewall vendors include those certified by The Telecom Defense Limited Company’s recently launched SS7 firewall certification process.

“The speed and low cost at which remote SS7 vulnerability assessments can be conducted using The Telecom Defense Limited Company’s methodology gives our customers a clear advantage when trying to re-mediate SS7 vulnerabilities in an expedient manner.” said David Michaux, Director at Forward Defense.

“We are delighted to be able to provide our expertise locally to operators in the GCC region through this strategic partnership, and of the positive feedback given by customers in our first joint engagements.“ said Jean Gottschalk, Principal Consultant and founder of The Telecom Defense Limited Company.

GCC mobile operators and regulators should contact Forward Defense to discuss any SS7 vulnerability re-mediation or training projects.

http://www.prweb.com/releases/2017/01/prweb14014988.htm

World’s first independent certification for SS7 firewalls

2016 has seen a lot of media attention towards SS7-based vulnerabilities that exist in worldwide mobile networks. These vulnerabilities allow attackers, including bad actors and foreign intelligence agencies, to accurately geo-locate nearly any mobile phone, intercept text messages, record phone conversations and much more.
Pushed by regulators and public attention, most mobile network operators around the world are now aware of this issue, and looking at ways to re-mediate the vulnerabilities and secure their networks. This often requires the deployment of specialized SS7 firewall appliances, to thwart the more complex attacks classified by GSMA (the GSM Association of mobile network operators) as Category 2 and Category 3 vulnerabilities.

But how can a mobile network operator ensure that the SS7 firewall appliance it chooses to deploy will effectively protect against all known SS7 vulnerabilities, now and in the future? Short of thoroughly testing the various appliances during an RFP process, which requires specialized equipment and know-how, this is a difficult task … until now!
The Telecom Defense Limited Company’s world first SS7 firewall certification is the solution to effectively screen vendors of SS7 firewall appliances.
To receive the certification, firewall vendors undergo a real life remote SS7 vulnerability test, which probes for vulnerabilities from all 3 GSMA vulnerability categories over the international roaming SS7 connection in a live mobile network protected by the appliance, replicating the conditions under which a real attacker would operate.
The certification is awarded to SS7 firewall appliances that successfully protect against well known vulnerabilities from all three GSMA-defined vulnerability categories, including when advanced obfuscation techniques such as SCCP spoofing are used.

The first certified SS7 firewall appliance is that of jtendo, a polish vendor of value added mobile network nodes. Other firewall appliance vendors are undergoing certification at the moment, and will be announced in the near future on the company’s website at http://www.www.telecomdefense.com.

“We are very proud to be the first SS7 firewall appliance to receive the Telecom Defense SS7 firewall certification”, said Piotr Szymanski, Director of jtendo. “The certificate confirms that our firewall product meets or exceeds all GSMA Fraud and Security Group guidelines as described in FS.11”.

“Certifications exist for many IT products, but for SS7 firewall appliances, which often require large capital investments on the part of mobile operators, there was no way to know if a product will successfully thwart off attackers until after it was deployed.”, said Jean Gottschalk, Principal Consultant and Founder of The Telecom Defense Limited Company. “The Telecom Defense SS7 firewall certification comes in response to our customers’ need to streamline their RFP process when selecting an SS7 firewall appliance.”

SS7 firewall vendors interested in applying for the certification should contact The Telecom Defense Limited Company, to have their product tested in a live deployment.

http://www.prweb.com/releases/2016/12/prweb13888246.htm

Why a mobile network needs to be retested for SS7 vulnerabilities after installing an SS7 firewall

The Telecom Defense Limited Company recently completed a SS7 vulnerability assessment for a mobile operator in Europe who had just deployed an SS7 firewall. The operator wanted to ensure, through an independent third party test, that the firewall is doing its job and that no vulnerabilities were left unprotected.

While we found that the firewall was remarkably good at protecting most of the vulnerabilities that are within the scope of our remote SS7 penetration test (things such as leaking of IMSIs, leaking of subscriber location, call intercept, denial of service attack surfaces etc), we were able to discover a handful of vulnerabilities, with low to high severity, that were left unprotected.
Our detailed report allowed the operator to go back to their firewall vendor and address the remaining vulnerabilities to ensure a 100% secure network.

This engagement illustrates why it is important for operators to not only perform initial SS7 vulnerability assessments on their networks, but also retest the network after vulnerabilities are deemed re-mediated, as well as re-test on a periodic basis (at least annually), in order to ensure that no new vulnerabilities have appeared after applying patches or upgrades to existing network nodes or to the firewall itself.

The Telecom Defense Limited Company can guide an operator through the remediation process from start to finish, including assistance with the RFP process for an on-premises SS7 firewall, to ensure that the selected firewall vendor effectively protects against all known vulnerabilities. Considering that the deployment of a network-wide SS7 firewall can be a multi-million dollar project, it’s a wise investment to have an independent third party ensure that the selected firewall is serving its purpose, before a purchase order is issued.

Can an entire mobile network be taken down via SS7?

Recently I was asked if it was really possible to take an entire mobile network down simply by sending a few clever SS7 messages to it, and whether there was any documented occurrence of such an event.

Long network wide “outages” do happen from time to time, for example in France in summer 2012, or in Australia and United Kingdom in summer 2014. These outages are usually explained by software glitches or physical issues, and sometimes not at all.

One network wide outage that was clearly due to an SS7 vulnerability recently, was a network wide outage of over 3 hours on the Telenor network in Norway in February 2016 (reported in the Norwegian news). The outage was caused by an SS7 security company that was conducting remote vulnerability assessments without the permission or knowledge of the assessed network Telenor, and sent the Ericsson HLR into a loop because it didn’t support a very rare SS7 message (I have a pretty good idea of which one!) that the security company sent to it over the public SS7 network.

While there clearly wasn’t a malicious intent behind this particular unintentional outage, we can see however that it was possible for a well informed individual to remotely take down a network in another country all over the public SS7 network, ie without any physical access to the target network.

Ericsson has since then patched the vulnerability on the affected Telenor HLR, however you may wonder how many other Ericsson HLRs are out there with the same vulnerability, that haven’t been patched yet, and how many other undiscovered vulnerabilities exist in thousands of Ericsson and other vendor’s mobile nodes that are deployed worldwide and connected to the public SS7 network.

Listening to a Congressman’s calls. Is it real?

A recent episode of the American show 60 Minutes showed German hackers listening to calls of a US Congressman, from the other side of the world, using a vulnerability found in SS7.

60 Minutes: Hacking into a Congressman’s phone.

Are you wondering if this type of attack would be possible in your network?

Chances are, yes it would be. In other words, if you haven’t done anything to specifically prevent this type of attack, then your network is probably vulnerable to this and other attacks. If you would like to know for sure, The Telecom Defense Company can conduct a SS7 penetration test on your network and confirm whether your network is vulnerable to this and other types of attacks. And of course, we will help you to secure your network and prevent these attacks in the future.