Exploit delivery and tunneling over SS7 - A new type of SS7 attacks
How SS7 despite size limitations can be used to deliver exploits that attack mobile network equipment and how SS7 can be used to tunnel data to and from compromised network elements.
This talk is specific to telecom security and deals with telecom specific protocols.
The talk discusses the commonly recognized SS7 signalling vulnerabilities and the root cause of what makes them work, how they are being mitigated and why the industry seem to opt for half a solution rather than a complete one.
It then moves on to the prerequisites of a new type of SS7 attacks that is currently is given very little focus in telecom security. This attack is how to deliver ASN.1 based RCE type exploit over SS7. It goes on to show how SCCP fragmentation may be used to overcome the size barrier imposed by TDM networks and how a two stage attack can be realized using MAP operations with specific traits for an initial attack and infection. The subsequent delivery of the second stage of the malicious payload using other MAP operations to tunnel data sequentially to expand the capability of the initial infection.
The attack is conceptual and does not target any specific vendor, instead it places emphasis on the delivery method and possibilities offered by the protocol. It has been demonstrated many times that ASN.1 may be vulnerable and mobile network equipment are no exception to this.
As an attacker it is possible to pursue either efficiency or stealth when performing this type of attack, the difference between these options are also described in this talk and a demo of the attack can be provided illustrating the moving parts and how an initial attack can be made small enough to become viable. The demo also includes tunneling and some come commands being passed to the compromised network node to illustrate how data is passed back and forth to and from the compromised element.
The closing part of the talk deals with proposed methods of mitigation and potential limitations when it comes to what can actually be mitigated. It also includes some advice when reviewing SS7 security solutions.