End-to-End SS7/SIGTRAN and Diameter Security Assessment
As mobile technologies evolve so does the threat landscape. Early generations of mobile networks 2G/3G rely on SS7 and its IP Version SIGTRAN, a set of protocols designed decades ago, without giving adequate effect to modern day security implications.
SIGTRAN handles the same applications and call management functions performed by the SS7. However, SIGTRAN uses the IP (Internet Protocol) and SCTP (Stream Control Transmission Protocol) transport, instead of TCP or UDP, mainly due to security issues.
On the other hand, diameter is protocol used for authentication, authorization, accounting protocol used in 4G network. Diameter uses TCP or SCTP protocol for transport. It is an advanced version of radius protocol with many features.
SS7 a key protocol used to provide services in 2G/3G network. This protocol performs all signaling services such as mobility, call handling, SMS delivery, authenticating subscribers. Initially ss7 was using TDM telephony for transport but not IP version of this protocol is used called m3UA.
2008 is the year when first public disclosure of SS7 vulnerabilities. Since 2008 hacker become active by purchasing SS7 access and providing services in dark web. Some of those services are call interception, SMS Interception, Roaming Fraud, Denial of Service, Location Tracking SMS SPAM, Premium Number Calling, Toll fraud. Till date hackers are exploiting vulnerabilities in SS7 network and selling services in dark web. We performed SS7/SIGTRAN Penetration testing for operators and helped them to find SS7 vulnerabilities, implement signalling firewall. We educated Telecom Operator about signalling threats, its impact, and ways to fix these vulnerabilities.
Key challenges in SS7 protocol:
- Lack of encryption/authentication
- Lack of awareness among operators
- Limited visibility about tools
- Lack filtering capabilities
- Multiple OpCo Circle
- Combination of different vendors with no common features in signalling routers
On the other hand, diameter inherits similar kind of vulnerabilities from SS7 such as Location Tracking, illegal profile manipulation for free services, SMS SPAM, Denial of Service etc. We performed signalling penetration testing on operator’s network. We identified diameter interfaces which are not supposed to be allowed from Roaming Interface as well as messages which need plausibility checks.
Key challenges in Diameter Roaming:
- Plain text communication with roaming partners
- Lack of filtering on different levels such as category 0,1,2,3 messages
- Non interfaces traffic was allowed on Diameter Edge Agent
- Lack of Filtering for plausibility messages.
- Multiple OpCo Circle
- Combination of different vendors with no common features in signalling routers
We have performed signalling security penetration testing as a Roaming Partner and performed audit of signalling network elements. We identified ways to stop basic attacks using existing infrastructure operator had. We prepared identified required inter-operator and intra-operator message types and implemented filtering on Operator boundary using GSMA framework.
We have also performed signalling traffic and CDR analysis to identify if network is already being attacked. We educated telecom NOC, SOC teams about parameters to monitor threats.
We performed Diameter Security test and detected many issues in Roaming Interface of operator. These interfaces should not be allowed on Roaming Interfaces. We helped operator implement regular configuration checks and regular penetration testing. We implemented filtering of internal and external diameter messages
We educated operator with different potentially dangerous messages. Helped operator to implement signalling traffic audit methods.
- After project completion operator had 360-degree view about how ss7/diameter network can be exploited by hacker and how operator should prevent it.
- Operator had implemented firewall with SS7/Diameter threats protection. SS7/Diameter penetration testing tool was given to telecom operator so that they can perform testing internally.
- SS7/Diameter security assessment knowledge transfer was done. Operator is using this knowledge for approving configuration change request for signalling routers.
Technology Expertise
Ejyle team has expertise in telecom technologies such as 2G/3G/4G/5G. We have built tools for penetration testing and auditing different telecom network interfaces such as Air Interface, Back haul Interface, Core Network, Roaming interface.
We have also developed automation tools for security testing which can be used by professionals with limited security knowledge
Reporting and Conflict resolve
Each engagement of Ejyle provides comprehensive executive reports, technical reports, graphs of vulnerability discovered, Severity of vulnerability, CVSS Score of vulnerability, recommendation. Ejyle also help to resolve requested configuration changes due to vendor incompatibility, need of service etc.
Innovation
Ejyle has a lab for telecom network research. We avail benefits from GSMA Associate Member and Fraud & Security group. Our senior team members have presented research papers in different security conferences such as black hat, nullcon, c0c0n