SS7
SFMS PM AND RND TEAMS
Securing LTE Signaling Networks
Ilya Abramov Director of Network Security
2 | XURA SIGNALING FRAUD MANAGEMENT
Security of mobile network communication is questioned… December 2014 : Annual Chaos Communication Congress event held in Hamburg … German researchers discover a flaw that could let anyone listen to your cell calls.
Cellular Privacy SS7 Security Shattered at 31C3
Phone network hack means anyone can listen in on any mobile call
September 2015: “Hackers exploit SS7 vulnerability to spy on Australian senator: report”
April 2016: “Sharyn Alfonsi reports on how mobile phone networks are vulnerable.”
3 |
Xura Vulnerability Audit
?
The press is right *All validations have been performed on customer request
100% have vulnerabilities
4|
XURA SIGNALING FRAUD MANAGEMENT
How to create a solution (GSMA)
Monitor signaling
Focus on signaling from nonroaming partners Use SMS home routing To disrupt location tracking and IMSI discovery
Review the attacks
Categorize signaling primitives
Identify protection mechanisms per category
5|
XURA SIGNALING FRAUD MANAGEMENT
NB: Signaling categorization ≠ degree of security
Cat.I
Cat.II
Cat.III
Should not be sent between networks unless specifically authorized e.g. MAP sendRoutingInfo, MAP anyTimeInterrogation
Should only be received from subscriber’s home network e.g. MAP insertSubscriberData, MAP cancelLocation
Should only be received from subscriber’s visited network e.g. MAP UpdateLocation, MAP purgeMS
Relatively simple – but not sufficient on its own
Required to protect the MNO’ subscriber base against unauthorized messages that should never come from any other MNO.
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
6 | XURA SIGNALING FRAUD MANAGEMENT
The vulnerability will not simply go away Illustration of potential interconnect signaling evolution
SIP Diameter
2020
2019
2018
2017
2016
SS7
2015
SS7 will remain an important interconnect protocol for many years Diameter (and SIP) will become increasingly used Weakness in SS7 has been carried forward to Diameter Additional vulnerabilities in Diameter are known
7|
XURA SIGNALING FRAUD MANAGEMENT
Diameter security enforcement (GSMA - draft)
Cat.0
Low level anti-spoof. Realm check, Double AVP attack, malformed messages
Extends current DEA functionality
Cat.I
Consistency between command code and application ID/Interface enforcement
Detects not only explicit attacks but also misconfigured/badly implemented network elements
Cat.II
Detailed AVP screening. Messages should not target internal subscribers from international interconnect. Combination of Command, interface and detailed AVP: IMSI, MSISDN
Typically focusing on in-bound roamers and preventing roaming primitives for own subscribers
Correspond to location update procedures
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
Cat.III
8 |
XURA SIGNALING FRAUD MANAGEMENT
New requirements for Diameter Edge Agent
Security Policy Control From basic router
•Full Diameter packet decoding and analysis •Security enforcement policies •Real-time Threat monitoring •Signaling Flow validation •Intrusion detection •DoS attack detection and protection
DEA •Basic router •Basic access control
DiSC : Xura’s secure DEA
9 | XURA SIGNALING FRAUD MANAGEMENT
Diameter security policies Connectivity
Signaling level
•DNS validation checks for the new connected peers •Connectivity white list for the originating host •Overload prevention (mitigation) •Topology hiding •DTLS support •IP sec support •Detailed AVP policies (per signal, per AVP) •AVP consistency check •Dictionary enforcement •Detection of AVP check override / duplication •Validation of the originating peer based on the command code and the associated AVPs •Stateful validations •Velocity check
10 | XURA SIGNALING FRAUD MANAGEMENT
Multi-dimensional attack (SS7) Non SS7 method
Step 1: Get the IMSI IMSI Catcher Buy it online Ask the network for it SendRoutingInfo_for_SM
Use IMSI EraseSS ActivateSS DeactivateSS InterrogateSS RestoreData ProcessUnstructuredSS_Request SS_Invocation_Notification Register_CC_Entry Erase_CC_Entry Send_Identification SendRoutingInfo_for_LCS CancelLocation ProvideRoamingNumber DeleteSubscriberData Send_Parameters UnstructuredSS_Notify PurgeMS ProvideSubscriberInfo ProvideSubscriberLocation IST_Command RegisterSS
SMS interception
Location tracking
Voice Call interception
Denial of Service
€£$
Balance Transfer
11 | XURA SIGNALING FRAUD MANAGEMENT
Future multi-dimensional attack
2G/3G/4G
SS7/SIGTRAN
Attacker
Diameter
12 | XURA SIGNALING FRAUD MANAGEMENT
Secure network design Monitoring and Analytics
Consolidated signalling control • Monitoring all signalling flows • Real-time correlation and detection • Prevention of multi-dimensional attacks
Correlation module Signaling Firewall • International /national interconnect protection • Policies • Detection patters • Real-time detection and prevention
Secure DEA • LTE interconnect protection • Connectivity policies • AVP policies
13 | SECURING THE VULNERABILITIES EXPOSED IN SS7
Key factors for effective signaling security
One Solution
Firewall at network edge
Dedicated Task-specific
Analytics & Monitoring
SS7 + Diameter
Stateful Correlation
XURA Network Signaling Security
14 | XURA SIGNALING FRAUD MANAGEMENT
Thank you
[email protected]
Securing LTE Signaling Networks
Ilya Abramov Director of Network Security
2 | XURA SIGNALING FRAUD MANAGEMENT
Security of mobile network communication is questioned… December 2014 : Annual Chaos Communication Congress event held in Hamburg … German researchers discover a flaw that could let anyone listen to your cell calls.
Cellular Privacy SS7 Security Shattered at 31C3
Phone network hack means anyone can listen in on any mobile call
September 2015: “Hackers exploit SS7 vulnerability to spy on Australian senator: report”
April 2016: “Sharyn Alfonsi reports on how mobile phone networks are vulnerable.”
3 |
Xura Vulnerability Audit
?
The press is right *All validations have been performed on customer request
100% have vulnerabilities
4|
XURA SIGNALING FRAUD MANAGEMENT
How to create a solution (GSMA)
Monitor signaling
Focus on signaling from nonroaming partners Use SMS home routing To disrupt location tracking and IMSI discovery
Review the attacks
Categorize signaling primitives
Identify protection mechanisms per category
5|
XURA SIGNALING FRAUD MANAGEMENT
NB: Signaling categorization ≠ degree of security
Cat.I
Cat.II
Cat.III
Should not be sent between networks unless specifically authorized e.g. MAP sendRoutingInfo, MAP anyTimeInterrogation
Should only be received from subscriber’s home network e.g. MAP insertSubscriberData, MAP cancelLocation
Should only be received from subscriber’s visited network e.g. MAP UpdateLocation, MAP purgeMS
Relatively simple – but not sufficient on its own
Required to protect the MNO’ subscriber base against unauthorized messages that should never come from any other MNO.
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
6 | XURA SIGNALING FRAUD MANAGEMENT
The vulnerability will not simply go away Illustration of potential interconnect signaling evolution
SIP Diameter
2020
2019
2018
2017
2016
SS7
2015
SS7 will remain an important interconnect protocol for many years Diameter (and SIP) will become increasingly used Weakness in SS7 has been carried forward to Diameter Additional vulnerabilities in Diameter are known
7|
XURA SIGNALING FRAUD MANAGEMENT
Diameter security enforcement (GSMA - draft)
Cat.0
Low level anti-spoof. Realm check, Double AVP attack, malformed messages
Extends current DEA functionality
Cat.I
Consistency between command code and application ID/Interface enforcement
Detects not only explicit attacks but also misconfigured/badly implemented network elements
Cat.II
Detailed AVP screening. Messages should not target internal subscribers from international interconnect. Combination of Command, interface and detailed AVP: IMSI, MSISDN
Typically focusing on in-bound roamers and preventing roaming primitives for own subscribers
Correspond to location update procedures
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
Cat.III
8 |
XURA SIGNALING FRAUD MANAGEMENT
New requirements for Diameter Edge Agent
Security Policy Control From basic router
•Full Diameter packet decoding and analysis •Security enforcement policies •Real-time Threat monitoring •Signaling Flow validation •Intrusion detection •DoS attack detection and protection
DEA •Basic router •Basic access control
DiSC : Xura’s secure DEA
9 | XURA SIGNALING FRAUD MANAGEMENT
Diameter security policies Connectivity
Signaling level
•DNS validation checks for the new connected peers •Connectivity white list for the originating host •Overload prevention (mitigation) •Topology hiding •DTLS support •IP sec support •Detailed AVP policies (per signal, per AVP) •AVP consistency check •Dictionary enforcement •Detection of AVP check override / duplication •Validation of the originating peer based on the command code and the associated AVPs •Stateful validations •Velocity check
10 | XURA SIGNALING FRAUD MANAGEMENT
Multi-dimensional attack (SS7) Non SS7 method
Step 1: Get the IMSI IMSI Catcher Buy it online Ask the network for it SendRoutingInfo_for_SM
Use IMSI EraseSS ActivateSS DeactivateSS InterrogateSS RestoreData ProcessUnstructuredSS_Request SS_Invocation_Notification Register_CC_Entry Erase_CC_Entry Send_Identification SendRoutingInfo_for_LCS CancelLocation ProvideRoamingNumber DeleteSubscriberData Send_Parameters UnstructuredSS_Notify PurgeMS ProvideSubscriberInfo ProvideSubscriberLocation IST_Command RegisterSS
SMS interception
Location tracking
Voice Call interception
Denial of Service
€£$
Balance Transfer
11 | XURA SIGNALING FRAUD MANAGEMENT
Future multi-dimensional attack
2G/3G/4G
SS7/SIGTRAN
Attacker
Diameter
12 | XURA SIGNALING FRAUD MANAGEMENT
Secure network design Monitoring and Analytics
Consolidated signalling control • Monitoring all signalling flows • Real-time correlation and detection • Prevention of multi-dimensional attacks
Correlation module Signaling Firewall • International /national interconnect protection • Policies • Detection patters • Real-time detection and prevention
Secure DEA • LTE interconnect protection • Connectivity policies • AVP policies
13 | SECURING THE VULNERABILITIES EXPOSED IN SS7
Key factors for effective signaling security
One Solution
Firewall at network edge
Dedicated Task-specific
Analytics & Monitoring
SS7 + Diameter
Stateful Correlation
XURA Network Signaling Security
14 | XURA SIGNALING FRAUD MANAGEMENT
Thank you
[email protected]
