Circumventing SS7 firewalls

More and more operators are implementing signaling firewalls to protect their interconnect. While the firewalls make it harder to execute SS7-based attacks, they can be circumvented.

We performed SS7 pentests for mobile network operators who used signaling firewalls of all major vendors.

All of these firewalls could be bypassed to a certain degree. In some cases it was possible to use SS7/MAP and CAMEL services as if no firewall existed.

In this talk we will

  • present concrete examples of how messages were constructed to bypass Signaling Firewalls of different vendors (and SMS Home Routing)

  • explain the vulnerabilities that lead to these bypasses and why it can be difficult to fix them

  • show how many operators use what level of protection with their firewall (FS.11 categories)

  • which message types/variants are often missed even though they can be quite dangerous

  • show how firewalls need to be changed generally to make them more secure

About the Speaker