The known unknowns of SS7 and beyond.

March 15, 2016 (at 11:45 a.m.) in The "Telco Security Day" (TSD) is an additional event to Troopers. It takes place on Tuesday the 15th. As the event aims to bring together only researchers, vendors and practitioners from the telecommunication / mobile security field, it is an invitation only event. The event is intended to be a discussion round for current topics accompanied by talks covering various subjects from different domains (e.g. practical security research or hacking, 3GPP standardization, Telco security operations). The TSD is a closed event and no filming will be allowed or recording will take place. It will be held in English. The agenda is publicly available and will be published here soon. Please note there is also a Shared Dinner at 19:30 for TSD Speakers and Attendees. For questions, talk submissions or invitation requests, please contact hschmidt@ernw.de.

2014 turned out to be "the year of SS7 vulnerabilities" as the Telco researchers showcased several successful attacks using the Signaling System No 7 (SS7) interconnection network such as subscriber profile modification, eavesdropping, tracking of users, SMS spoofing and call/SMS redirect. These attacks are serious because SS7 and its IP version SIGTRAN, despite its age, remains a key signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Understandably, telecommunications industry is taking countermeasures against the vulnerabilities that were exposed through the aforementioned attacks.

Are all risks now mitigated? 

Definitely not! 

Complexity of network layers and diversity of underlying protocols in SS7 makes it more difficult to find all loopholes in the systems. There exist a lot of 'known functionalities' which are indeed the 'unknown vulnerabilities'. In this talk, we first begin with one of such vulnerabilities in detail, where we discuss how to exploit the relationship between IMEI and IMSI to unblock stolen mobile devices. Here, we also discuss about the existing attacks on modification of subscriber profile using SS7 to recap about the contents of subscriber profile. Secondly, we will outline extending the previously known SS7 based attacks to Diameter/LTE. Furthermore, we will also present with an intuitive attack vector to emphasize the fact that the telecommunication systems are being misused for surveillance. 

Rao Siddharth

Siddharth Rao (Sid) is a research student guided by Prof. Tuomas Aura in the Secure Systems Group of Aalto University, Finland. He is an Erasmus Mundus student with double master's degrees in Information Security and Cryptography from Aalto University and University of Tartu, Estonia respectively. He started his exploration of security in telecommunication systems at Nokia networks under the guidance of Dr. Silke Holtmanns and Dr. Ian Oliver through his thesis entitled "Analysis and Mitigation of Recent Attacks on Mobile Communication Backend". His current research interests includes location privacy in telecommunication systems and exploitation of Interworking Functions (IWF) to study the signalling systems beyond SS7.