SS7 Penetration Test

What is an SS7 penetration test?

You might be familiar with IP based “pen testing”, such as the tests performed on e-commerce websites in the USA to achieve PCI compliance as required by credit card companies. These tests are typically quick, inexpensive, and can be performed remotely over the Internet without physical presence or any physical devices being installed in the network.

A SS7 penetration test, or SS7 security audit, is very similar in concept to a PCI compliance test. Through our partnership with multiple mobile operators, we have access to worldwide SS7 connectivity. We will fire various SS7 messages at you from various external sources (trying when possible to test across your multiple SCCP providers, just in case one of them has implemented a cloud-based SS7 firewall solution). Sources of the messages will not be disclosed to you in advance, in order to maintain the independence of the test. Messages will replicate dozens of different types of attacks that are known to us, but will only be directed at specific single-purpose test subscriptions on your network, in order not to disrupt or breach privacy of any real subscriber.

We will not perform any network-wide DOS testing, for obvious reasons, unless you have a lab setup against which we can run these more involved tests.

Typically, no direct SS7 connection needs to be established with your network in order to conduct an audit, which keeps audits relatively inexpensive and quick, when compared to the cost and implementation time of a full-blown on-premises firewall solution.

After the test has been concluded, we will provide you with a report of the those vulnerabilities that have been detected on your network, and we will provide directions as to how they can be eliminated. At your option, we can interact with your mobile node vendors in order to facilitate the production and deployment of patches to address the various issues, and perform a rescan at a later time, to confirm that the vulnerabilities have been eliminated.

At this stage, some operators opt for our SS7 Cloud Scanner which allows their properly trained staff to generate ad-hoc SS7 messages from the external plane in order to test new STP or firewall rules. This can be particularly useful during the time when remediation work is conducted.

In some regions of the world, we sell our SS7 penetration testing services through VARs, and if a VAR is available in your area, it is likely that their security experts will be able to present test results to your team in person.
We also perform SS7 penetration tests on behalf of country regulators who wish to raise the issue of SS7 vulnerabilities in their country.