Page 19 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 19
tion strategies for many SS7 attacks on 2G/3G network. 11 IMPLEMENTATION OF MITIGATION AMONG
Based on the filtering rules found in this document an MOBILE OPERATORS
operator can determine if a message that arrives at
the interconnection interface is legitimate, prohibited, Mobile operators have not really addressed the issue of
unauthorized, suspicious or otherwise “strange”. SS7 telecom vulnerabilities. This is demonstrated by the
ENISA survey in the EU and the Security Infrastructure
10.2 FS.07 SS7 and SIGTRAN network security and Trust workstream survey by the ITU within the devel-
This document provides substantial background how oping world. According to ENISA’s survey most telecom
to handle SS7 messages on the edge of the network. It operators only addressed this issue by implementing SMS
describes the whole SS7 stack, while putting emphasis home routing and performing some filtering on signal-
10
11
on the MAP protocol level, where attacks are most com- ling nodes. Only about a quarter of the telecom operators
mon. It provides security analysis for SS7 and SIGTRAN. have implemented any of the mitigation strategies men-
It lists a set of countermeasures for many SS7 attacks, tioned in Section 11 above. In the developing world the
and recommendations on how they can be deployed. majority of the telecom regulators and telecom operators
FS. 07 also contains details on how to configure an SS7 surveyed did not know about these mitigation strategies,
firewall or an edge node to stop unauthorized messages and for those who knew, the implementation rate was
and attacks from reaching the core network, for all MAP very low (below 10%).
v2/3 messages and provides countermeasures for the The reason for this low implementation rate is simple,
currently known SS7 attacks. implementing strong mitigation strategies are cost inhib-
iting for the telecom operator. About 75% of the surveyed
10.3 IR.82 security SS7 implementation on SS7 net- operators in the EU replied that cost is the inhibiting fac-
work guidelines tor in implementation, that and the lack of regulation
This document outlines general security measures for mandating it.
SS7 security, which include for example SMS specific
security measures and many SS7 stack related security FIGURE 9: Implementation of mitigation in mobile operators
measures. It should be seen as a toolbox for operators, within the EU
as not every measure mentioned in this document can 100%
be deployed in every network. 87.1%
80%
10.4 IR.88 LTE and EPC roaming guidelines 71.8%
This document outlines LTE interconnect (roaming)
security measures. It is the LTE counterpart to the IR.82. 60%
It contains a security toolbox for Diameter, it covers
aspects like routing attacks, DoS, location tracking and 40% 33.3%
other types of diameter-based interconnection attacks 28.2% 25.7% 20.5%
on the SCTP, GTP and interface specific recommenda- 20% 12.8%
tion e.g. S6a, S9, S8. It also tackles legacy interworking,
SMS security and charging and policy related security 0%
Active testing/auditing
Implement SMS and end nodes Implement signaling Aviodance of optimal analytics
Filtering on transit
Implement advanced
aspects. Other
home routing
firewall
call routing
10.5 Mitigations in GSMA documents vs common
telecom attacks
TABLE 3: Coverage of mitigation strategies in GSMA documents FIGURE 10: Mitigation implementation in the developing world
vs common SS7/Diameter attacks
80%
Attack FS.11 FS.07 IR.82 IR.88
(2/3G) (2/3G) (2/3G) (4G) 70%
Spam ✘ ✓ ✓ ✘ 60%
Spoofing ✓ ✓ ✓ ✘ 50%
Location tracking ✓ ✓ ✓ ✓ 40%
30%
Subscriber fraud ✘ ✓ ✓ ✓
20%
Intercept ✘ ✓ ✘ ✘
10%
Denial of Service (DoS) ✓ ✓ ✓ ✘ 0%
Infiltration attacks ✓ ✓ ✓ ✓ Unaware Aware Implemented
Routing attacks ✘ ✓ ✓ ✘
Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 17