In May, a well-known but long-ignored cell network flaw let cybercriminals drain bank accounts across Germany. The process of patching up the holes in Signaling System 7 has proven slow, and mostly reserved for large telecoms who can afford to invest in experimenting with defenses. But now, a team of researchers has created a set of open-source SS7 solutions, making fixes to one of the world's most persistent vulnerabilities available to all.
Fixing flaws in SS7 will take more than buy-in from one or two carriers. As a utility network for telecoms that coordinates carrier interoperability—it facilitates the carrier handoffs that happen if, say, you start a call in Munich and end it in Milan—SS7 is a collaborative effort. It wasn't built to consider the possibility that queries might not be legitimate. As a result, attackers take advantage of its trusting nature to reroute text messages, or request location data for a phone over and over to track where its owner goes. (SS7 issues gained national notoriety in a 60 Minutes segment last year, but has plagued the telecom industry for years.)
Companies can head off SS7 issues by implementing firewalls and filters that scrutinize SS7 requests more closely instead of blindly fulfilling any query from anywhere. But those efforts have been disjointed so far. The firewall and other defensive features developed by researchers at P1 Security–a firm that specializes in telecommunications, mobile, and embedded systems–aim instead for wide distribution, a sort of jumping off point for broader adoption. The group announced open source versions of these tools for SS7 and (and its 4G counterpart Diameter) on Wednesday at the Black Hat security conference in Las Vegas.
“SS7 firewalls have existed in the industry for a few years now,” says Philippe Langlois, the CEO of P1 Security. “Are they deployed widely? No. It’s mostly the rich operators in developed countries who have them, or those in some small countries that have a [high] intensity of attacks. So by making this open source, not only are we hoping to help small operators get this technology, but at the same time we could help them as a collective group get better security in a way that could not be done by any one operator.”
The group's open source tools are not finished, carrier-grade products yet, but the researchers hope they can act as a reference or general template for telecom companies that don’t have the resources to start development from scratch. And though the work is preliminary, it still goes beyond the filters and firewalls moneyed telecoms have already implemented.
Firewalls can detect “active” SS7 attacks, like those that allow for SMS and call interception and user tracking. But the P1 researchers also wanted to contribute to development of defenses against so-called “passive” attacks, in which attackers with direct access can sit on the network long term, accessing and potentially storing unencrypted information like metadata and user locations in bulk. Researchers have even demonstrated vulnerabilities in Diameter that allow for passive spoofing attacks.
“The current [industry] effort is done just by simply discarding or filtering SS7 messages," Martin Kacer, a core network security researcher at P1, says. But he notes that filtering alone doesn't resolve SS7's potential privacy issues. “If there is somebody sniffing the wire, then simply discarding messages will not help.”
The P1 Security tools include a framework for encrypting and decrypting SS7 messages using public and private keys, much like the general security setup for email. Ideally, this way even if someone has the ability to surveil SS7, they can’t just vacuum up everything they access passing across the network, because that data will be encrypted. Of course, if one carrier offers the ability to encrypt SS7 request traffic, but others don’t, the protection won’t follow users as their communications move from carrier to carrier around the world. Full protection requires broad collaboration.
If nothing else, the open-source project could jumpstart the process of developing standards for securing SS7, which has stalled for decades. The telecom industry is notorious for moving slowly on codifying standards, but in the case of SS7 vulnerabilities, the stakeholders may include more than just carriers.
"I’m going to put my tinfoil hat on my head," Langlois says. "There are people who are very critical of the telecom industry, saying that there were actually attempts at getting better security which were distorted into specifications that could never be implemented because they are too complex. And some people say, well, if I were NSA or whatever intelligence agency I would do exactly that to guarantee that my feed of passive data collection is not disrupted."
Whatever has slowed the process down, better privacy and security protection for users is long overdue. An open-source research solution may just be a start, but even that improves on the status quo.
