Circumventing SS7 firewalls
More and more operators are implementing signaling firewalls to protect their interconnect. While the firewalls make it harder to execute SS7-based attacks, they can be circumvented.
We performed SS7 pentests for mobile network operators who used signaling firewalls of all major vendors.
All of these firewalls could be bypassed to a certain degree. In some cases it was possible to use SS7/MAP and CAMEL services as if no firewall existed.
In this talk we will
-
present concrete examples of how messages were constructed to bypass Signaling Firewalls of different vendors (and SMS Home Routing)
-
explain the vulnerabilities that lead to these bypasses and why it can be difficult to fix them
-
show how many operators use what level of protection with their firewall (FS.11 categories)
-
which message types/variants are often missed even though they can be quite dangerous
-
show how firewalls need to be changed generally to make them more secure