Matthew 13:32 - Downsizing SS7 RCE

In 2018 I presented Root Canal at Telcosec Day, the first practical exploit delivery over SS7. This is the updated approach and the size constraints of Root Canal have been mitigated. Using the new method any MAP or CAP operation can technically be used to perform this type of attack.

Signaling protocols are murky waters and with SS7 more accessible than ever, the next generation attacks are becoming increasingly relevant. Signaling firewalls are being circumvented, device specific features and SIM applets are targeted. Creative attackers are regaining the capabilities lost to the first generation of signaling firewalls.

There are still plenty of issues with the SS7 protocols. We will take a look at how required features of the routing layer can be abused to shrink payload required for exploit delivery and how application layer encoding can be adapted for stealth and tunneling. We will show narrowband data exfiltration as well as command and control baked into seemingly harmless packets ready to traverse the global interconnect.

Closed source and vendor paranoia blocks many of the paths that could lead to in depth mitigation. We also look at how some of these issues may carry over to 5G and what we can expect in our shift from ASN.1 to JSON over HTTP2.