Who’s responsible for fixing SS7 security issues?

The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks’ two-factor authentication and drain their customers’ bank accounts.

SS7 security issues

According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network operator, and using that access to set up call and SMS forwarding for the targets’ mobile phone number.

O2 Telefonica, the German mobile network operator with which the victims opened their accounts, has reacted to the revelation by making it impossible for call forwarding to be effected by other organizations that have this kind of access to their network. Other German mobile network operators have effected the same change.

The National Institute for Standards and Technology (NIST) has for a while now been advising businesses to sunset SMS-based two-factor authentication, and switch to using alternative authenticators (e.g. security tokens, mobile apps like Google Authenticator, etc).

But what solutions are offered for communication service providers (CSPs) who don’t want to potentially lose enterprise opportunities?

The responsibility of security lies with CSPs

“CSPs and those involved in authentication should increase their investment in this security method by upgrading existing systems with further measures. If mobile operators want to defend their role in enterprise Application to Person (A2P) communications, it is imperative that action is taken now to secure the SMS channel, (and the network more generally), before lucrative A2P messaging is put at risk,” Ilia Abramov, Product Director at Mavenir Security Solutions, told Help Net Security.

It’s on them to keep users safe, although in some countries governments and regulators have also stepped in to force issues to be resolved quickly.

“In the United States for example, representative Ted Lieu has been outspoken since the publicized hack of his phone by 60 Minutes about the need for the FCC to take SS7 security steps. As another example, government of Thailand has mandated solutions; however, the EU has been less outspoken about demanding a resolution,” Abramov noted.

According to him, there are two key measures Communication Service Providers (CSPs) should take to protect both their subscribers and networks from attack.

“Installing a signaling firewall should certainly be the first step to provide defense and mitigate risk. However, the threat landscape is dynamic, not static: CSPs should be regularly auditing and analyzing their networks to continuously monitor for any gaps where cybercriminals could attack – this is the second step.”

“The linkage between these two steps is of critical importance. On one-hand, the deployed firewall must be capable of supporting rapid enhancement as new security patches become necessary, and it must support those changes without jeopardizing the five-nines operation it is trying to protect. On the other-hand, the firewall itself can dramatically enhance discoverability of new threats if it is equipped with the correct signaling analytics tools. The use of machine-learning also greater enhances the discovery of new attacks. Together these two additional aspects can simplify and accelerate the speed at which new dangers can be identified and patched.”

Switching from SS7 is not a panacea

It’s also easy for outsiders to simply say: “If SS7 is flawed, why don’t providers switch to using another technology?”

“Legacy SS7 technology will gradually be replaced by Diameter Signaling over the next ten years or so, but the switch is not security driven – it is a necessary evolution. CSPs are moving towards Diameter Signaling to support LTE and 5G investments in order to keep up with demands for new and improved services and Internet of Things (IoT) services, across both B2B and B2C offerings,” he explained.

But the signaling security issue the industry is experiencing is based on the fundamental need for CSPs to exchange information (signaling) to support inter-carrier calling and to support roaming.

“The underlying model of trust, and many of the resulting signaling exchanges are the same in Diameter as they are in SS7: consequently, a similar set of security ‘flaws’ exist in Diameter as in SS7,” he pointed out.

SS7 security issues: What can end users do?

There are some actions that we as individuals can take to keep ourselves safer from mobile fraudsters and hackers.

“Checking monthly cell bills for fraudulent charges, paying close attention to app permissions, limiting the sources you share personal data with, and checking account security if notifications or authorization codes are received without being requested are all good ideas,” says Abramov, adding that while these actions won’t protect against all threats, they are good prevention practices.

Keeping a close eye on one’s mobile banking applications and online accounts to flag fraudulent activity as soon as possible is also advised.