signaling network vulnerabilities exposed, protection strategies for operators - webinar december...

Signaling network vulnerabilities exposed: protection strategies for operators

Ilia AbramovProduct Director

|2 |

SS7 network security takes the stage

• December 2014

Annual Chaos Communication Congress event held in Hamburg

• SS7: Locate Track Manipulate• Mobile self-defence • SS7 Map – Mapping vulnerability of international mobile roaming infrastructure

Featured 3 presentations on SS7 security

• Location and tracking of mobile users• Denial of Service attacks• Eavesdropping via man in the middle attack – 2G and 3G• Traffic diversion• De-anonymization• Fraud• Spam

Demonstrated attacks though SS7 interconnects:

XURA SIGNALING FRAUD MANAGEMENT

|

Is there a problem?

We Think So…


| XURA SIGNALING FRAUD MANAGEMENT|

Anatomy of signaling exploitation

2

Illegal access to operator HLR (SRI, Femto cell, ATI, etc.)

Impact• Loss of subscriber privacy

• Loss of revenue by the MNO (location tracking service)

Faking of the subscriber profile (multiple ways)

Impact• Loss of subscriber privacy

• Subscriber churn• Legal exposure of MNO up to

revoking of license

Faking of the subscriber profile (multiple ways)

Impact• Loss of subscriber privacy• Impact on A2P revenue due to

compromised 2 layer authentication

Faking of the network element addressing

Impact• Attack on the other operator network• Revenue impact (e.g. fake SMSC)• Exposure of own network element in

the other operator attack

SMS interceptionLocation tracking of

the subscribers

Voice Call interception

Spoofing of the network elements

||

Nothing is safe beyond your network border

1

VLRHLR/HSS

• Impersonation• Service abuse• Call interception• DoS attack

• Location tracking,• Subscriber profile faking

Attacker Goals:- Specific subscriber (eavesdropping)- Network elements (information extraction,

Service interruption, DoS)- MNO Service & Revenue

• FemtoCell (IMSI harvesting)• Crypto cracking


| XURA SIGNALING FRAUD MANAGEMENT6 |

Attack motivation

Confidential data

Private and business conversations

Messaging and data

Most valuable asset is INFORMATION!

DoS attack on subscriber

Enforced service degradation

Service interruption

IRSF calls

Messaging fraud

Grey Routes

Financial

| XURA SIGNALING FRAUD MANAGEMENT7

Anatomy of the signaling attacks

IMSI

Obtain Subscriber IMSI

Fake

Fake subscriber profile

HLRHSS

MSCMME

HLRVLR

i

Receive callSMSData

SRI-SMATI

Attacks on subscriber private communication

Main attack action

|8 |

Mitigation: Technical measures

FASG

Keeping one’s network safe is an ongoing task of determining & blocking attacks, to be done by signalling experts

Can only be automated partially

SS7 firewall SMS Home Routing/Firewall

Monitor to see what kind of attacks your networks is exposed to

See the SS7 Monitoring Guidelines, authored by RIFS

Filter at the network edge

Diameter Edge Agent (DEA) at the edge to the IPX Network



IMSI Harvesting

HLR phishing

HLR/HSS

All security measures make sense

SRI for SM

ATI

Home Routing

STP filtering

FemtoCell

IMSI

Impossible to have full IMSI protection

However


Native Network integration

Real-Time monitoring

Traffic Control & Enforcement

Efficient security enforcement

SignallingFraud

ManagementDetects

signalling flowirregularities

Implementssignallingpolicies

Providesoperator

withdetailedinsight

Preventsfaking

XURA SIGNALING FRAUD MANAGEMENT11 |

Signaling challenges in LTE & VoLTE


Potential IP vulnerabilities rise in Telco industry

SS7

SIGTRAN

EPC Diameter

IMP SIP


Issue Risk CostPrepaid Abuse High HighDenial of Service (area) High HighVoIP Originated SS7 Injection Medium HighFinancial/charging fraud High HighPrivacy Theft Medium MediumIoT intrusion High High

Attack dimensions and Impact

Diameter attacks

occur in multiple

dimensionsAVP combinations and values

Sequ

enci

ng

and

Flow

Optional

parameters


Protecting EPC signaling network

Ensures 1st hop protectionChallenge: administration nightmareDoes protect from signalling attacks

Enable secure transport for the interconnects

Check packet compliancyEnforce Diameter message dictionary to the applications

Selectively filter any protocol extensionsPerform address consistency validation

Validate protocol consistency

Collect interconnect signaling dataAnalyze detected inconsistencies

Identify the sourcesEngage with roaming partners

Monitor and Act


Protect Legacy SS7/SIGTRAN network

•Focus on interconnect first•GSMA Recommendation•Signaling Firewall•Signaling flow monitoring and analytics

Secure design of EPC

•Ensure external connectivity via secure DEA•Enable transport security•Enforce protocol consistency• Implement Protocol level enforcement•Signaling flow monitoring and analytics

Ensure signaling perimeter control & monitoring

•Monitoring and analysis•Protocol enforcement capabilities

Signaling network protection strategy

XURA SIGNALING FRAUD MANAGEMENT16 |

You partner in signaling security

Understanding of signalling network architecture and principles

Years of reliable carrier grade signalling service

Guaranteed confidentiality!Revenue assurance

Network audit and penetration testing

Enforcement of security policies and real-time monitoring


Get in touch

Email [email protected]

Check out http://www.xura.com/our-services/digital-communications/security

Complimentary white papers

mailto:[email protected]

http://www.xura.com/our-services/digital-communications/security




THANK YOU

[email protected]