Circumventing SS7 firewalls
More and more operators are implementing signaling firewalls to protect their interconnect. While the firewalls make it harder to execute SS7-based attacks, they can be circumvented.
We performed SS7 pentests for mobile network operators who used signaling firewalls of all major vendors.
All of these firewalls could be bypassed to a certain degree. In some cases it was possible to use SS7/MAP and CAMEL services as if no firewall existed.
In this talk we will
present concrete examples of how messages were constructed to bypass Signaling Firewalls of different vendors (and SMS Home Routing)
explain the vulnerabilities that lead to these bypasses and why it can be difficult to fix them
show how many operators use what level of protection with their firewall (FS.11 categories)
which message types/variants are often missed even though they can be quite dangerous
show how firewalls need to be changed generally to make them more secure