Security Challenges around SS7 and diameter signalling: Interview with Symsoft’s Fredrik Söderlund
Ahead of Mobile 360 – Privacy and Security in The Hague and the workshop “Preparing the Network from SS7 to DIAMETER” we caught up with Fredrik Söderlund, Software and Systems Security Advisor at Symsoft to discuss the security challenges around SS7 and diameter signalling and how we can secure the network via robust signalling firewall technology.
“There is a lot of good work being done within the GSMA and there are many talented people collaborating in the working groups to draft recommendations and best practice documents. This work has progressed to a point where good protection actually can be achieved by deploying stateful signalling firewall technology and configuring the network properly.”
“I think an issue for concern still, in signalling security is that the scope for the last couple of years has been limited to just signalling.” He said. “We have built awareness in the industry regarding risks related to a single perimeter. However, in addition to pure signalling risks the affected protocols also have the ability to carry attacks that go beyond mere signalling abuse. Symsoft published a whitepaper on attacks using malformed packets in 2017 highlighting this. In 2018 at the Troopers security conference in Heidelberg we demonstrated this new class of SS7 attacks by practical example of remote code execution delivered over SS7. The information was disclosed to the GSMA through the GSMA Coordinate Vulnerability Disclosure program in December 2017. Bringing these new attacks into view and increasing understanding of the issues is one of the challenges I see facing both us as security researchers and solution providers but also the industry as a whole.
As the network evolves and we advance to LTE/Diameter signalling, we are still facing major challenges on the protocol design itself, as Fredrik explains;
“We are seeing more and more operators deploying stateful signalling firewalls, and this is definitely an important aspect of securing the wider network perimeter. Both SS7 and Diameter networks require protections against signalling attacks and abuse. It is important to cover both perimeters as attacks may be carried out with information across both protocols. For example, retrieving the IMSI over SS7 and attacking the target over Diameter. If the SS7 networks can be properly secured it severely cripples attacker capabilities on Diameter and other signalling protocols.”.
“We are seeing more and more operators deploying stateful signalling firewalls, and this is definitely an important aspect of securing the wider network perimeter. If the SS7 networks can be properly secured it severely cripples attacker capabilities on Diameter and other signalling protocols”.
“However, the Diameter protocol is fundamentally flawed when it comes to the ability of an attacker to impersonate a trusted signalling source,” he says. “This issue was to some extent limited on SS7 but on LTE networks we have a situation where certain services can and should not be deployed without extending the protocol to mitigate this threat. Having said that, there is currently a less pronounced signalling risk on Diameter networks due to the limited set of interfaces currently in use on international links. There is ongoing work in the GSMA to propose mitigation techniques that will help secure Diameter for at least new interfaces by introducing verification of origin to prevent impersonation of source, and in addition to this potentially also introduce encryption of certain sensitive signalling data”.
5G will be another seismic shift in the mobile world, and with commercial deployments on the horizon, how can we ensure our future network avoids the signaling pitfalls of the past?
“The initial draft of 5G was heading over the same cliff as Diameter with the lack of integrity and confidentiality.” Fredrik explains. “It now seems that the first phase may be deployed without these features but there is ongoing work to push for proper security features in phase two. Hopefully we will be able to finally fold the essential features into the protocol in the design phase rather than having to apply additional security features as a band aid later on. But even with integrity and confidentiality there are a few potential clouds on the horizon. In 5G we are looking at essentially converting signalling network nodes into web servers. Perhaps not in a literal sense but with the switch from dedicated protocols like MAP/CAP in SS7 and Diameter for LTE we are seeing 5G being built on HTTP2 and JSON. In SS7 and to some extent also Diameter we had protocols that were less widely researched from a security perspective, not many off the shelf or open source tools designed to do damage, perhaps a few hundred qualified attackers worldwide and most of them with limited or narrow capability. On HTTP however we have an army of hackers, tooled up to the teeth and ready to go to work on any links they may come across. I am not completely sure what we can expect in terms of actual attacks, but I think it would be naive to not consider how the playing field may change as a consequence of this change of technology”.
Signaling security and the design of signaling protocols for next generation networks is crucial for the success of the industry and future networks. The industry needs to take action now, Fredrick explained; “MNOs face many of the same threats as the regular IT industry, the OAM networks, web exposure both from web site and subscriber self-management perspective, MPLS networks, mobile application security, operating systems that host all the MNO services and so on. But beyond all those IT type security issues we also face security of mobility management and that of means signalling. Signalling is one of the most unique traits of the mobile network and also the one we need to place most emphasis on going forward. It is vital that these issues are brought into view and given the necessary attention, especially given our track record of relying on trust as the main method of defence. For the mobile network to remains a trusted means of transferring sensitive data it is therefore vital that we improve the overall security posture, not only on legacy networks but also on our future networks.
Fredrik will be joining keynote session on Thursday 31st of May “Safeguarding the Network”.
Mobile 360 Privacy and Security will take place in The Hague on the 30-31st of May and will bring together security leaders from MNO’s and across the tech ecosystem. Visit our website now to see our full agenda, speaker line-up and pass options.
Fredrick is joining keynote session “Safeguarding the Network” on Thursday, 31 May. To view the complete list of speakers and agenda for Mobile 360 – Privacy & Security on 30-31 May in The Hague, visit our website here.