Security breaches in SS7 networks: threats, solutions and open issues

How secure is your mobile phone?

Would it surprise you that it could be hacked? Probably not. If the Edward Snowden leaks are anything to go by you probably expect the NSA, FBI, GCHQ or another government acronym to have the capability to spy on you. Of course, to do so they need expensive equipment, direct access to your mobile network and highly trained hackers.

But what if mobile phones could be hacked much easier, without expensive equipment? And what if hackers don’t have to be connected to your network, or even in your country? Right now there is a massive security flaw in how all mobile networks operate and communicate with each other.
SS7 Network, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers. How can a mobile operator protect its customers from attacks when the protocol used between mobile operators is poorly designed, with many “features” that can be easily exploited?

R Systems at DevTalks 2015
R Systems has already helped operators prevent these types of attacks and shared its know-how and experience in such projects at DevTalks 2015 Bucharest.
In the Mobile Imperative & Internet of Things section of the conference, Laurentiu Nedelcu, System Architect at R Systems, delivered a presentation regarding the security breaches in SS7 networks, the strategies applied to protect the privacy, possible solutions and yet open points.
The types of hacker attacks on GSM networks can vary from intercepting incoming and outgoing calls, redirecting incoming calls (maybe to an expensive number) or intercepting incoming SMS to location discovering, disrupting subscriber services, USSD request manipulation or subscriber profile manipulation.
The root of these breaches lies in the architecture of the GSM network. The architecture of the GSM network has been working for decades but no matter how robust, it still is purely collaborative, which means that the collaboration between operators is based on trust only.
In today’s context, when operators must open their networks to third parties, this is an important drawback which exposes them even more to the threat of an attack.
In order to make an attack, the hacker needs access to a computer, a specialized open source software and an internet connection to an operator’s core network. The attack usually happens in two phases: obtaining the subscribers’ information and performing the actual attack.

The R Systems solution
The solution proposed and already implemented by R Systems consists in creating a firewall which filters all traffic which can damage the network. The firewall can hide the subscribers’ information and therefore, when the attacker tries to use fake subscriber information, the network does not respond to the operations.
The context is even more complex as there is a number of undefined scenarios and the entire set of operations needed to protect the networks against attacks cannot be known. On the other hand, the platform must be open to enhancements, support 10,000 transactions per second, allow a standard response time of 1millisecond and allow a new product release in a matter of weeks.
Given these restrictions, R Systems developed a special solution which uses a common pattern for the telecom industry: Mass Processing – Real-Time – Emergency Architecture.
The solution uses Redis in memory cache for mass processing and CLIPS rules engine to analyse input. Using this solution, normal traffic is forwarded for service, whereas if the rules engine detects an attack, the event is rejected. One of the advantages of using CLIPS is that it allows the creation of a dynamic solution which can be enhanced and new attack patterns can be created and put into production easily.
In order to further test the solution in a laboratory environment, the next step is the development of an automated scenario development tool and a traffic replay simulator. The first one allows the definition of new attack scenarios and setting up alarms when new scenarios occur, whereas the simulator should get all normal traffic over a specific time frame, replay it and simulate it in the laboratory so that the solution can be tested in real traffic before going live.

The presentation “GSM. Security” was delivered by Laurentiu Nedelcu, System Architect at R Systems, at DevTalks 2015 Bucharest, on June 11, 2015.

About DevTalks 2015
DevTalks 2015 was the second edition of the IT conference DevTalks organized by The event took place in Cluj Napoca on May 13, 2015 and in Bucharest on June 11, 2015, at the Romexpo conference center. The event gathered developers and IT professionals with an interest in the trends that will shape Mobile, Web, Big Data, Cloud Computing and the Internet of Things.
DevTalks 2015 Bucharest in numbers: 416 developers, 44 international and local speakers, 40 presentations, 4 event stages, 4 main topics: The Future Web, Mobile imperative & Internet of Things, Cloud Computing, Big Data.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

Apply to this job

Contact us

Send your CV