In this blog article I reveal how to defend against SS7 (System Signalling no: 7) vulnerabilities that are in every phone network and all are susceptible to various attacks.
Contents
I will go here into a full reveal and recommendations how to defend against it or minimise its effects. I wanted to write a complete how to on this topic as it affects all people in the world and unfortunately not all telecommunications providers (there is more than 12,000 of them worldwide) have your security interests at heart.
These set of vulnerabilities bypass some 2 Factor Authentication methods, thus making it very important to know about it and how to defend from it.
Here’s a guide on how small businesses can protect themselves against SS7 and similar attacks.
Why are we talking about defending against SS7?
In today’s interconnected world, small businesses rely heavily on mobile networks for communication, security, and operations. While mobile technology offers numerous advantages, it also exposes businesses to vulnerabilities that could compromise sensitive data. One particularly dangerous attack vector is SS7 (System Signaling Number 7), which has been used by hackers to intercept calls, messages, and even bypass two-factor authentication (2FA). Understanding and defending against these attacks is crucial for small businesses that depend on mobile technologies.
Recently Veritasium Youtube Channel highlighted in a video "Exposing the Flaw in Our Phone System" several key issues surrounding the vulnerabilities in the SS7 protocol are brought to light showing the clear and present danger from SS7 to the whole world.
The Vertasiums video emphasizes how the SS7 system, a foundational part of global telecommunication infrastructure, has inherent weaknesses that expose users to serious security risks. The protocol, initially designed for reliability rather than security, is vulnerable to exploitation, allowing malicious actors to intercept calls, messages, and even track users’ locations.
Key quotes from the video highlight these concerns:
On the system’s design flaw: “SS7 wasn’t built with security in mind because, at the time, it was only trusted parties who had access to it. But now, that trust is gone.”
On the severity of potential attacks: “Hackers don’t need direct access to your phone; they can do it remotely through vulnerabilities in the SS7 system.”
On the real-world impacts: “The flaw has allowed surveillance companies to offer services that can track anyone, anywhere, simply by accessing the SS7 network.”
This systemic issue underscores the importance for mobile carriers to enhance their SS7 security measures to protect against these types of attacks. Some carriers in regions such as Europe, Middle East, Asia, Africa, South and North America are beginning to strengthen their protocols, but it remains a pressing concern for the entire industry.
If you're running a small business that relies on mobile communications, it's crucial to choose carriers that prioritize SS7 security and implement strong back-office protections.
Let's now find out what is SS7 and why it's vulnerable.
What Is SS7 & Why Is It Vulnerable?
SS7 (Signaling System No. 7) is a crucial component of global telecommunication (phone & SMS) networks, but its age and complexity have made it susceptible to various attacks. While individuals can't directly defend against SS7 vulnerabilities at a network level, there are steps to mitigate risks and protect personal data.
SS7 is a set of telecommunication protocols that allows networks to communicate for call setup, routing, billing, and SMS exchange. Originally developed in the 1970s, SS7 was designed with a trust-based system, assuming that anyone with access to the network is trustworthy. This assumption has made it an attractive target for cybercriminals, as it lacks robust security measures.
Hackers can exploit SS7 vulnerabilities by intercepting mobile communications, tracking phone locations, and even hijacking 2FA codes sent via SMS, posing a significant threat to businesses that rely on mobile phones for security and communication.
History of SS7
SS7 (Signaling System No. 7) is a set of telecommunication protocols developed in the 1970s to manage the exchange of information over the Public Switched Telephone Network (PSTN). Here's a brief history:
Development in the 1970s
SS7 was created by ITU-T (International Telecommunication Union - Telecommunication Standardization Sector) to replace older in-band signaling systems, where control signals were sent along the same channel as the voice data.
In-band signaling systems were vulnerable to fraud and limited in bandwidth, so the move to an out-of-band signaling system like SS7 helped increase both the security and efficiency of call routing.
Introduction in the 1980s
By the 1980s, SS7 became the standard signaling protocol for ISDN (Integrated Services Digital Network) and cellular networks. It allowed more efficient call setup, management, and termination across different networks and regions.
It also facilitated Caller ID, toll-free numbers, and call forwarding features by separating the signaling information from the voice channels.
Expansion in the 1990s
SS7 expanded with the growth of mobile networks and SMS. It enabled cellular networks to track users between different cells, manage handovers, and deliver messages across various carriers.
SS7 also began to support Intelligent Network (IN) services, enabling advanced features like prepaid billing and number portability.
Emergence of Security Concerns in the 2000s
As telecommunications systems expanded globally, it became clear that SS7 had inherent security vulnerabilities. The system was originally designed with trust between operators, assuming that only trusted entities would have access to it.
However, as telecom networks became more interconnected, attackers began exploiting these trust assumptions. The ability to intercept calls, spoof phone numbers, and track users became possible by manipulating SS7 commands.
SS7 Vulnerabilities Exposed in the 2010s
Major SS7 vulnerabilities became public knowledge in the 2010s, with reports of hackers, nation-states, and surveillance companies exploiting the system for espionage.
Researchers and cybersecurity firms demonstrated how hackers could intercept SMS messages (including two-factor authentication codes) and listen in on phone calls by exploiting SS7 weaknesses.
Present Day and Future of SS7
As 5G networks continue to roll out, SS7 is being phased out (2G/3G) in favor of more modern protocols like Diameter for 4G and 5G networks. However, SS7 remains crucial for backward compatibility, meaning that vulnerabilities will continue to exist for some time.
Many mobile carriers have implemented firewalls and monitoring tools to detect and block SS7 attacks, but these efforts are not consistent across all regions.
SS7’s development marks a significant evolution in global telecommunications, but its legacy is now intertwined with ongoing security challenges. Carriers and governments are now focusing on how to better secure signaling in the modern era while managing compatibility with existing infrastructure.
Sources on SS7 history:
ITU-T standards documentation
Research articles from cybersecurity firms such as FireEye and Positive Technologies
Vertasium's video on SS7 security vulnerabilities "Exposing The Flaw In Our Phone System"
Lets now learn all about the global telecommunication system.
Basic Aspects of Telecommunications Networks Worldwide
Telecommunications networks are complex systems that rely on various identifiers and protocols to manage devices, routes, and user accounts, facilitating seamless communication globally. Here are the basic aspects of telecommunications networks, including key elements like GTs, IMEI, and SIM numbers:
1. Global Title (GT)
Purpose: Used in SS7 signaling to route messages across networks.
Function: Translates to Point Codes for directing signaling messages to the correct destination (e.g., SMS delivery, call routing). This system ensures efficient communication between mobile networks across regions or countries.
2. IMEI (International Mobile Equipment Identity)
Purpose: Unique identifier for mobile devices.
Function: Helps identify and track devices on the network, allowing carriers to block stolen phones or manage device capabilities.
3. SIM Number (ICCID - Integrated Circuit Card Identifier)
Purpose: Unique identifier for the SIM card itself.
Function: Links the SIM card to a specific mobile account, containing details about the country, issuing network, and a unique identifier.
4. IMSI (International Mobile Subscriber Identity)
Purpose: Unique identifier for mobile subscribers.
Function: Used by networks to authenticate the subscriber and manage services.
5. MSISDN (Mobile Station International Subscriber Directory Number)
Purpose: Phone number associated with the SIM card.
Function: Used for dialing and routing calls to the subscriber's device.
6. Network Elements
Mobile Switching Center (MSC): Routes calls and messages, manages mobile services.
Base Station Controller (BSC): Manages base stations, handles resource allocation for calls.
Home Location Register (HLR): Database that stores subscriber information, including service profiles and current locations.
7. Protocols
Protocols for 2G (GSM) / 3G (UMTS):
SS7 (Signaling System No. 7): A set of protocols used for signaling in telephone networks (2G/3G and backwards compatible in 4G/LTE/5G networks), enabling call setup, routing, and SMS delivery. Key protocols in SS7 are:
MTP (Message Transfer Part): MTP Level 1 & 2: Responsible for physical, data link, and error correction functions (similar to OSI layers 1 and 2). MTP Level 3: Provides network layer routing and message delivery between SS7 nodes. Delivers SMS signaling messages over the SS7 network for 2G and still used for 3G message routing and delivery.
SCCP (Signaling Connection Control Part): Adds additional routing capabilities to MTP, enabling services like global title translation (used for routing messages based on phone numbers). Supports connection-oriented and connectionless communication. Routes SMS messages over SS7 for 2G and still used in 3G for message routing and delivery.
TCAP (Transaction Capabilities Application Part): Manages the setup, control, and teardown of signaling transactions (e.g., queries for databases like HLR/VLR).
Used for services such as mobile roaming, number portability, and SMS.
MAP (Mobile Application Part): Manages mobile-specific signaling for tasks such as location updates, authentication, roaming, and SMS. Frequently used in mobile networks (GSM, UMTS) for communication between core network elements like HLR, VLR, and MSC. Purpose: Facilitates communication between network elements in 2G/3G (like Home Location Register (HLR), Visitor Location Register (VLR), and Mobile Switching Center (MSC)). Functionality: Supports tasks like location updates, roaming, and SMS delivery.
ISUP (ISDN User Part): Manages call setup and teardown over SS7 for circuit-switched voice calls for 2G/3G. Handles the setup and teardown of voice and data calls over the public switched telephone network (PSTN). Facilitates call-related signaling for circuit-switched networks.
BSSAP (Base Station System Application Part):
Purpose: Operates in GSM to connect the Base Station Subsystem (BSS) with the core network (MSC).
Functionality: Handles signaling between the BSC and MSC for voice calls and SMS routing.
3G Only: RANAP (Radio Access Network Application Part): Manages signaling between the Radio Network Controller (RNC) and core network for SMS and voice calls/services.
Purpose: Used in 3G networks for communication between the Radio Network Controller (RNC) and the core network.
Functionality: Manages radio access bearers, signaling for call setup, and mobility functions in 3G UMTS networks.
GTP (GPRS Tunneling Protocol):
Purpose: Handles user data transmission in 3G networks and beyond.
Functionality: GTP-C manages control signaling for establishing sessions, while GTP-U encapsulates user data for transfer across the core network (e.g., between base stations and gateways).
A-interface (GSM A-Interface Protocol):
Purpose: Connects the Base Station Controller (BSC) to the Mobile Switching Center (MSC) in 2G (GSM) networks.
Functionality: Manages voice call setup, handovers, and mobility between base stations.
Protocols for 4G/LTE:
Diameter: Used for authentication, authorization, and accounting (AAA) between network elements. Replaces the older SS7 protocol used in 2G/3G for certain functions.
SGsAP (SGs Application Part): Supports SMS over LTE, allowing SMS delivery even when the user is on an LTE-only network.
IP-SM-GW (IP Short Message Gateway): Provides SMS transmission over IP-based networks (for 4G).
VoLTE (Voice over LTE): Voice calls are transmitted over LTE's IP-based network using the IMS (IP Multimedia Subsystem).
SIP (Session Initiation Protocol): Manages call setup, control, and teardown in IMS-based voice calls.
SRVCC (Single Radio Voice Call Continuity): Manages handovers of voice calls between LTE (packet-switched) and 2G/3G (circuit-switched) networks.
GTP (GPRS Tunneling Protocol): The GTP-C (Control Plane) manages signaling for session establishment, mobility, and traffic forwarding. GTP-U (User Plane) is responsible for data encapsulation and user data transmission.
S1-AP (S1 Application Protocol):
Purpose: Manages signaling between the LTE eNodeB (base station) and the core network (MME).
Functionality: Handles procedures such as session establishment, mobility management, and resource allocation in LTE.
X2-AP (X2 Application Protocol):
Purpose: Facilitates communication between neighboring LTE eNodeBs (base stations).
Functionality: Manages tasks like handovers (when a user moves between base stations) and load balancing to optimize network performance.
NAS (Non-Access Stratum):
Purpose: Manages communication between the user equipment (UE) and the core network for tasks not related to the radio access layer. Handles SMS signaling in LTE networks.
Functionality: Handles signaling for authentication, mobility, and session management, ensuring secure and smooth connectivity in the network.
Protocols for 5G:
HTTP/2 (major revision of the HTTP (Hypertext Transfer Protocol)): Replaces Diameter for signaling in the 5G core network. It's used for authentication, session management, and resource allocation in the 5G Core (5GC). Purpose: Used primarily for web-based services in 5G networks, enhancing web performance due to its multiplexing, header compression, and server push features. Usage: Ideal for applications requiring low latency and high throughput, such as video streaming and interactive applications.
HTTP/3 (Future Use): Purpose: An evolution of HTTP/2, based on QUIC (Quick UDP Internet Connections), which is designed to reduce latency further. Usage: May be utilized in future 5G applications for real-time communication and services, taking advantage of its lower latency and faster connection establishment.
IMS (IP Multimedia Subsystem): If available, 5G sends SMS via IMS using IP-based messaging protocols. Provides the framework for managing voice services over IP in 5G.
SMSF (SMS Function): A dedicated function in the 5G core for handling SMS.
VoNR (Voice over New Radio): 5G voice calls are managed entirely over the 5G NR air interface using IMS.
SIP (Session Initiation Protocol): Continues to manage call setup and teardown for 5G voice calls.
NGAP (Next-Generation Application Protocol):
Purpose: Manages signaling between the 5G core network and the gNodeB (5G base station) and the Radio Access Network (RAN).
Functionality: Controls functions like session management, mobility, and resource allocation in 5G networks. Manages control plane signaling for establishing and maintaining connections and session management.
SDAP (Service Data Adaptation Protocol):
Purpose: Ensures Quality of Service (QoS) for user data in 5G by mapping traffic to specific QoS levels.
Functionality: Adapts user data into the 5G air interface, helping prioritize different types of services (e.g., streaming vs. voice calls).
NAS (Non-Access Stratum):
Purpose: Handles signaling between the user equipment (device) and the core network in 4G and 5G. Manages SMS signaling in 5G as it does in 4G.
Functionality: Manages processes like authentication, security, mobility, and session management.
GTP (GPRS Tunneling Protocol):
Purpose: Encapsulates user data for transmission across networks in both 4G and 5G.
Functionality: GTP-C handles control signaling, while GTP-U transmits user data, facilitating data transfer between network nodes (e.g., base stations, gateways).
8. Standards
2G (2nd Generation): A second-generation mobile network standard that introduced digital voice transmission and text messaging (SMS). It marked the transition from analog to digital, improving call quality and enabling features like roaming and more efficient use of the radio spectrum.
3G (3rd Generation): Third-generation mobile communication technology that provided enhanced data rates and capabilities, enabling mobile internet access, video calling, and multimedia services. It introduced packet-switched data transmission, improving the overall efficiency of mobile data services.
4G(4th Generation): Fourth-generation mobile communication standard offering significantly faster data speeds and improved network capacity compared to its predecessors. It supports high-definition video streaming, online gaming, and other bandwidth-intensive applications, with LTE (Long-Term Evolution) as its most widely adopted variant.
LTE (Long-Term Evolution): A standard for wireless broadband communication, facilitating high-speed data transmission. Another name for it is 4G. LTE enhances mobile internet connectivity with lower latency, increased capacity, and improved spectral efficiency, making it suitable for high-definition multimedia services.
5G (5th Generation): Fifth-generation mobile communication technology that revolutionizes wireless connectivity with ultra-fast data speeds, low latency, and massive device connectivity. It supports advanced applications like IoT (Internet of Things), autonomous vehicles, and augmented/virtual reality, enabling smart cities and enhanced user experiences. 5G is built on top of 4G and works along 4G protocols.
6G (6th Generation): Sixth-generation mobile communication technology that aims to revolutionize connectivity with ultra-high data speeds, expected to exceed 100 Gbps. It focuses on ultra-low latency, potentially as low as 1 millisecond, and will integrate advanced technologies such as AI, machine learning, and terahertz frequency bands. 6G is anticipated to support innovative applications like holographic communication, enhanced augmented reality (AR), and massive Internet of Things (IoT) deployments, enabling a more interconnected and intelligent world. Countries like China, the United States, South Korea, and Japan are investing heavily in research to develop 6G standards and technologies. Other countries are lagging in this.
9. Types of Networks
Public Switched Telephone Network (PSTN): Traditional circuit-switched telephone network.
Mobile Networks: Cellular networks that provide mobile communication services.
VoIP (Voice over Internet Protocol): Technology that enables voice calls over the internet.
Why is the Global Telecommunications Network Vulnerable?
The telecommunications networks' vulnerability stems from its complexity, interconnectivity, inconsistent security practices, and the high value of the data it manages. These factors create multiple avenues for potential threats, necessitating robust security measures and collaboration among providers to mitigate risks. The telecommunications industry is vulnerable due to several factors, especially given the presence of over 12,000 providers globally. Here are some key reasons:
1. Diverse Infrastructure
Complexity: Many providers have different technologies, protocols, and systems, making integration and security challenging.
Legacy Systems: Some networks still use outdated technology, which may have security vulnerabilities.
2. Interconnectivity
Network Dependencies: Providers often rely on each other for services, creating multiple points of failure.
Routing Vulnerabilities: Interconnected systems can be exploited to reroute traffic, leading to potential interception or data breaches.
3. Inconsistent Security Standards
Varied Practices: Different providers may implement security measures inconsistently, leaving gaps that can be exploited.
Regulatory Differences: Varying regulations across countries can lead to weaker protections in some regions.
4. High Target Value
Data Richness: Telecom networks handle vast amounts of personal and financial data, making them attractive targets for cybercriminals.
Service Disruption: Attacks on telecom infrastructure can disrupt services, causing significant economic impact.
5. Supply Chain Vulnerabilities
Third-party Risks: Many telecom companies rely on third-party vendors for equipment and services, which can introduce vulnerabilities.
Software Dependencies: Vulnerabilities in software used across networks can compromise entire systems.
6. Human Factors
Insider Threats: Employees may inadvertently or intentionally compromise security through negligence or malicious actions.
Social Engineering: Employees can be targeted through phishing or other tactics to gain access to sensitive information.
7. Rapid Technological Changes
Innovation Pace: The fast evolution of technology can outstrip security measures, leaving systems exposed.
IoT Integration: The rise of IoT devices adds more entry points and complexity, increasing the attack surface.
But what about the risks to small businesses?
Why Are Small Businesses at Risk?
While large enterprises may have the resources to implement advanced security solutions, small businesses often lack the dedicated IT teams and budgets to stay ahead of evolving threats.
However, they are just as reliant on mobile communication, making them equally susceptible to SS7 and other signaling protocol attacks. Additionally, small businesses may assume that cybercriminals won’t target them, which can lead to complacency.
Small businesses face significant cybersecurity risks due to various factors, despite being critical players in the economy. Here’s a detailed look at why they are particularly vulnerable:
1. Limited Resources
Budget Constraints: Small businesses often operate with tight budgets, which can restrict their ability to invest in advanced cybersecurity solutions and tools.
Lack of Dedicated IT Teams: Many small businesses don’t have full-time IT staff. This limits their capacity to monitor, manage, and respond to security threats effectively.
2. Dependence on Mobile Communication
Reliance on Telecommunications: Small businesses use mobile communication for operations, customer interactions, and transactions, making them reliant on the same signaling protocols that larger enterprises use.
Vulnerability to SS7 Attacks: Just like larger organizations, small businesses can be targeted through vulnerabilities in SS7 and other signaling protocols, potentially leading to data breaches or service disruptions.
3. Assumptions About Targeting
Complacency: Many small business owners mistakenly believe they are not significant enough to attract cybercriminals, leading to a false sense of security.
Underestimating Threats: Small businesses often overlook the fact that cybercriminals frequently target smaller entities, viewing them as easier targets with less robust defenses.
4. Lack of Awareness and Training
Insufficient Cybersecurity Training: Employees in small businesses may not receive adequate training on cybersecurity best practices, making them more susceptible to phishing and social engineering attacks.
Ignorance of Risks: Without proper awareness, staff might engage in risky behaviors, such as using weak passwords or ignoring software updates.
5. Inadequate Security Measures
Basic Security Solutions: Small businesses may only implement basic security measures, such as antivirus software, which may not be sufficient against sophisticated threats.
Failure to Conduct Risk Assessments: Many small businesses do not regularly evaluate their cybersecurity posture or conduct risk assessments, leaving them unaware of vulnerabilities.
6. Third-party Dependencies
Vendor Risks: Small businesses often rely on third-party vendors for software and services. If these vendors lack strong security practices, it can expose the small business to potential attacks.
Supply Chain Vulnerabilities: An attack on a third-party provider can lead to cascading effects, impacting the small business indirectly.
7. Regulatory Compliance Challenges
Complex Regulations: Small businesses may struggle to understand and comply with relevant cybersecurity regulations, exposing them to legal risks.
Resource Constraints for Compliance: Meeting compliance requirements often demands resources and expertise that small businesses may lack.
Small businesses are at risk due to their limited resources, reliance on mobile communication, complacency about cyber threats, and inadequate security measures. To mitigate these risks, small businesses should prioritize cybersecurity awareness, invest in appropriate solutions, and regularly assess their security posture. By understanding their vulnerabilities and taking proactive measures, they can enhance their defenses against evolving threats.
How SS7 Attacks Work?
SS7 (Signaling System No. 7) attacks exploit vulnerabilities in the telecommunications signaling system that governs how mobile networks communicate. Here’s an in-depth look at how these attacks are executed and their implications:
1. Accessing the SS7 Network
Unauthorized Access: Hackers often gain access to the SS7 network through compromised telecom infrastructure or by exploiting weak security practices in telecom companies. Since SS7 was designed in a more trusting era, it lacks robust authentication mechanisms.
Interconnectedness: The global nature of telecom networks means that once a hacker breaches one network, they may have a pathway to access others, facilitating widespread attacks.
2. Call Interception
Listening In: Once hackers are inside the SS7 network, they can intercept calls. This is typically done by routing the call through their own device, allowing them to listen in without the user being aware.
No Trace Left: The nature of SS7 allows for this interception to occur without alerting the user or the telecom provider, making it particularly stealthy.
3. SMS Interception
Reading Texts: Hackers can intercept SMS messages, enabling them to read sensitive texts intended for the target. This includes personal messages, verification codes, or any other communication.
Potential Consequences: Intercepted texts can lead to unauthorized access to accounts, as many systems still use SMS as a verification method.
4. Location Tracking
Pinpointing Location: By exploiting SS7 vulnerabilities, hackers can access a user's location data in real time. This allows them to track the movements of individuals or assets.
Privacy Risks: This can lead to significant privacy violations and is particularly concerning for high-profile individuals or those in sensitive situations.
5. SIM Swapping
Transferring Phone Numbers: In a SIM swapping attack, a hacker can convince a telecom provider to transfer a target's phone number to a new SIM card controlled by the hacker. This often involves social engineering techniques, such as impersonating the target.
Gaining Control: Once the phone number is on the hacker's SIM, they can receive calls, texts, and two-factor authentication (2FA) codes, effectively taking control of the target's accounts.
How SS7 Attacks Typically Occur
Here’s a simple breakdown of how SS7 attacks typically occur in sequence:
Accessing the SS7 Network: Hackers gain unauthorized access to the SS7 network, which isn’t as difficult as it sounds, due to the interconnectedness of global telecom networks.
Intercepting Calls or SMS: Once inside, they can monitor voice calls, SMS messages, and even location data in real time.
Hijacking 2FA Codes: By intercepting SMS-based 2FA messages, they can access email accounts, banking systems, or corporate networks, effectively bypassing this critical security measure.
SS7 attacks exploit inherent vulnerabilities in the telecommunications signaling system, allowing hackers to intercept calls and SMS, track locations, and execute SIM swapping.
The interconnected nature of global telecom networks makes unauthorized access easier, resulting in serious security implications for users and businesses. Understanding these vulnerabilities is crucial for both telecom providers and users to bolster defenses against such attacks.
How difficult are SS7 exploits to undertake?
SS7 exploits are difficult to perform but not impossible, especially for attackers with enough resources and access to telecommunications networks. Here's an overview of the complexity involved:
1. High-Level Access
SS7 exploits require direct access to the global telecommunications network, which is not easily attainable. Only telecommunications companies, or those with special access to these systems (through hacking, insider help, or buying access on black markets), can directly interact with SS7.
Difficulty: Gaining access to SS7 networks is not something a casual hacker can do. It typically requires significant resources, advanced knowledge, or insider assistance.
2. Specialized Knowledge
An attacker would need detailed technical knowledge of SS7 protocols and how mobile networks handle communication.
This kind of knowledge is not easily accessible to the average hacker. While some vulnerabilities are well-documented, practical knowledge of how to exploit them takes years of specialized training or collaboration with other experts.
3. Resources
Conducting SS7 attacks often involves expensive equipment and considerable financial resources. Tools to intercept SS7 traffic and inject commands into networks are specialized and costly.
Governments, large criminal organizations, and well-funded actors typically have the resources to mount such an attack.
4. Stealth & Detection
SS7 attacks must often be conducted stealthily to avoid detection by the telecom company or the user. This adds another layer of complexity, as security teams at mobile carriers can detect unusual traffic or activity in SS7 protocols.
5. Success Rate
Even with access and resources, an attacker’s success is not guaranteed. Mobile carriers constantly update their security measures, and the global push toward securing telecom systems means the window for SS7 vulnerabilities is closing.
Targeting: SS7 attacks are generally reserved for high-value targets (e.g., politicians, business executives) rather than the average person.
SS7 exploits are complex, costly, and generally out of reach for everyday hackers. However, they remain a threat from sophisticated actors such as nation-states or highly organized cybercrime syndicates. Because of the high level of difficulty, SS7 vulnerabilities are more of a concern for high-profile individuals rather than regular users. Nonetheless, it's a good practice to avoid SMS-based 2FA due to the potential for such attacks.
Let's now learn how to mitigate the threats to small business.
SS7 Mitigation Strategies for Small Business
Multi-Factor Authentication (MFA): Enable MFA on your mobile account. This adds an extra layer of security, making it harder for hackers to access your account even if they compromise your password.
Change to strong passwords: Change your passwords regularly, using strong combinations of letters, numbers, and symbols. Avoid using easily guessable information. I would say regular changes to those passwords is necessary for weak services and websites with poor cybersecurity practices. For sites with multi factor authentication (multiple forms of authentication other than password) it's probably not necessary to change passwords too often. As regards Passkey technology being pushed by some top corporations - this technology is in early state and can be a bit fiddly - so I would suggest small business wait till everyone embraces it. Passkeys are like IPv6 - not used widely yet but it would mean never remembering passwords as there would be non.
Beware of Phishing Attempts: Be cautious of suspicious emails, texts, or calls asking for personal information. Never click on links or download attachments from unknown sources.
Limit Personal Information Sharing: Avoid sharing sensitive information like your full address, date of birth, or social security number over the phone or online, especially with unfamiliar individuals or organizations.
Use Secure Messaging Apps: For sensitive communication, consider using encrypted messaging apps like WhatsApp, Signal, or Telegram (Although after recent revelations on Telegram I would be cautious in using it as Telegram I'm told has vulnerabilities or back doors for state actors - not really sure - investigate the allegations yourself as its a developing story).
Monitor Your Account Activity: Regularly check your mobile account statements for any unusual activity, such as unauthorized calls or data usage. Report any suspicious activity to your mobile carrier immediately.
Choose a Reputable Carrier: Select a mobile carrier with a strong security reputation and that takes proactive measures to protect its customers from SS7 attacks. I made a large list of reputable mobile carriers worldwide to help you make decisions - go to heading "Partner with a Reputable Mobile Carrier (Large List of Countries)"
Key ways to defend against SS7 attacks
While small businesses may not be able to control the weaknesses of SS7 directly, there are several steps you can take to mitigate risks and protect your operations.
1. Switch from SMS-Based 2FA to App-Based Authentication
Problem: SS7 attacks can intercept SMS messages, making SMS-based two-factor authentication (2FA) vulnerable.
Solution: Use app-based 2FA solutions like Google Authenticator, Authy, or Microsoft Authenticator. These apps generate time-based one-time passcodes (TOTP) that are not sent over the network, thus removing the risk of interception. Setup everything like that and remove SMS as a recovery option.
BUT CAUTION IS ADVISED: While removing SMS as a recovery option, ensure you have multiple backup methods to regain access if needed. Eliminating SMS as a recovery option is a crucial step in defending against SS7 attacks. By switching to app-based authentication, implementing robust backup recovery options, educating users, and continuously monitoring security, small businesses can significantly enhance their security posture. Careful planning and execution are key to ensuring a smooth transition while maintaining access to critical accounts. Here is suggestion actions:
Backup or Recovery Codes: Generate a set of backup codes when setting up 2FA. Store these codes securely offline. Microsoft and Google accounts under Security Tab then under the section for 2 Factor either generate 10 codes or one recovery code.
Email Recovery: Use a secure email address with strong security measures for recovery, but ensure it’s also protected with 2FA that doesn't use SMS or Phone call verification. Minimize access to the recovery email to prevent it from being compromised.
Authenticator App Backup setting: Some apps allow you to backup your settings to a secure cloud service. Both Google Authenticator and Microsoft Authenticator have cloud backup into selected accounts. Turn that on in the app.
Get Hardware Security Keys or Tokens (YubiKey, Google Titan, etc.): Provides top-tier security because it requires physical access to a token for authentication. Hardware tokens aren’t vulnerable to SS7 or 5G vulnerabilities. Less convenient than SMS or authentication apps since you need to carry the token with you. If lost, the hardware token can lock you out unless you have backups or alternative methods so I suggest this option should be a backup and keep it in a safe place in case you lose your phone or computer and need to get back in.
Suggestions on products as at 2024:
YubiKey 5 Series (Best choice - Overall security and versatility)
Google Titan Security Key (only available in some countries)
Feitian ePass K9 (Budget-friendly, multi-protocol support.)
SoloKeys USB-C/NFC (for Open-source enthusiasts)
Thetis FIDO U2F Security Key (Affordable, basic security needs)
2. Encourage the Use of Encrypted Communication Apps
Problem: SS7 exploits can allow hackers to eavesdrop on voice calls and messages.
Solution: Encourage your employees to use encrypted communication apps such as WhatsApp, Signal, or Telegram, which offer end-to-end encryption, making intercepted data unreadable. Especially when sharing passwords, sensitive information like banking and other sensitive details.
3. Secure Your Business Phones with Strong Encryption
Problem: Even if the SS7 network is compromised, strong encryption on the device can prevent hackers from accessing sensitive data.
Solution: Ensure that all business phones are encrypted. Both Android and iOS devices offer built-in encryption, which should be enabled as part of standard device setup.
4. Use Virtual Private Networks (VPNs) for Remote Work
Problem: Unsecured networks (like public Wi-Fi) expose mobile devices to a variety of cyberattacks.
Solution:
A Virtual Private Network (VPN) can encrypt your internet traffic, making it more difficult for hackers to intercept your data. Ensure that employees use a VPN whenever they access company systems remotely. This encrypts all traffic between the device and the internet, offering an additional layer of security.
Avoid using public Wi-Fi networks for sensitive activities like online banking or shopping, as they may be less secure.
5. Implement Multi-Layered Security Policies
Problem: Relying on just one layer of security (like 2FA) is not enough when faced with sophisticated attacks.
Solution: Deploy a multi-layered approach to security that includes:
Strong, unique passwords for each system.
Regular employee training on phishing and social engineering attacks.
Network firewalls and intrusion detection systems (IDS).
6. Monitor and Audit Mobile Security Regularly
Problem: New vulnerabilities and attack methods emerge all the time.
Solution: Regularly audit your mobile and network security. Consider hiring a cybersecurity expert or consulting firm to conduct penetration testing and identify potential vulnerabilities in your system. Cyberkite offers bimonthly, quarterly, 6 monthly and yearly cybersecurity's checks for small businesses in Australia. Learn more on that: cyberkite.com.au/cybersecurity
7. Educate Employees and Users
Awareness Training: Conduct regular training sessions on the importance of security practices, including recognizing phishing attempts and understanding the risks associated with SMS.
Clear Instructions: Provide clear guidance on how to set up app-based authentication and backup recovery options if they require staff to setup themselves to make sure incorrect authentication options aren't set.
8. Monitor Account Activity
Real-Time Alerts: Set up real-time notifications for any suspicious account activity, such as login attempts from unrecognized devices or locations.
Regular Account Checks: Encourage users to regularly check their account activity for unauthorized actions.
9. Keep Your Software Updated
Problem: Devices and applications may not be up to date and have much weaker security protections.
Solution: Ensure your mobile device's operating system and apps are always up-to-date with the latest security patches.
While SS7 vulnerabilities remain a challenge, by following these guidelines, you can significantly reduce your risk of falling victim to attacks and protect your personal information.
Question: Does adding +XXX country codes by the customers / users help defend against SS& vulnerabilities?
As a phone user: Using + country codes (+61 ) for phone numbers alone does not prevent or mitigate SS7 vulnerabilities. While dialing with the international format (including the +country code) ensures that numbers are routed correctly, it does not address the inherent security weaknesses in the SS7 protocol itself.
The vulnerabilities in SS7 arise from the way signaling messages are handled, especially for tasks like call setup, SMS routing, and inter-network roaming. Attackers can intercept or manipulate these messages due to a lack of encryption and authentication in the protocol.
To defend against SS7 vulnerabilities, use of complete phone numbers with country code (+XXX) (instead of just local non country codes numbers) needs to be enforced at the carrier level. This could include:
Encryption and authentication of signaling messages
Monitoring SS7 traffic for suspicious patterns (e.g., unexpected message routing)
Implementing firewalls specifically designed for SS7 traffic
Transitioning to newer protocols like Diameter (for 4G/5G), though even these have vulnerabilities that need to be properly managed. Idea? Perhaps eliminating 2G/3G networks with weaker protocols from the carriers network which is happening in some countries like Australia but very cautiously to avoid outages to devices that rely on 2G/3G networks.
The solution needs to come from the carriers with robust security measures on their networks, not through customer dialing habits. In summary, as a user, adding country codes helps with routing but does not protect against SS7 vulnerabilities, which require infrastructure-level defenses from telecom operators.
Defending Against Other Mobile Protocol Attacks for 4G/LTE/5G/6G
In both 4G (LTE) and 5G networks, certain protocols are susceptible to cyber threats and vulnerabilities, particularly in the context of signaling, authentication, data transmission, and mobility management. These vulnerabilities can expose networks to attacks like denial of service (DoS), eavesdropping, and impersonation. While SS7 is a well-known vulnerability, there are other mobile protocol attacks small businesses should be aware of:
Common Threats and Exploits in both 4G/5G Protocols:
Man-in-the-Middle (MITM) Attacks: Certain signaling protocols (e.g., NAS, GTP) can be exploited for intercepting or tampering with traffic if authentication/encryption mechanisms are weak.
Denial of Service (DoS) Attacks: Flooding attacks on GTP, S1-AP, and X2-AP can overload the network infrastructure, causing service degradation or downtime.
Downgrade Attacks: Attackers force devices to connect to older, less secure generations (like 2G/3G) that are easier to compromise.
Eavesdropping: Exploiting poorly encrypted signaling and user data channels can allow attackers to intercept user traffic.
Replay Attacks: Re-sending previously captured messages to manipulate user sessions or impersonate legitimate users.
4G/LTE Based Attacks:
Though 4G improved security compared to earlier generations (2G/3G), several protocols still have vulnerabilities.
Diameter Attacks: As telecom companies upgrade to 4G/LTE and 5G, Diameter protocols (the successor to SS7) are becoming the new target. Vulnerabilities: These attacks can lead to similar exploits such as intercepting messages and bypassing security controls. Susceptible to replay attacks, where previously sent messages are maliciously re-transmitted. Man-in-the-middle (MITM) attacks and impersonation due to weaknesses in how authentication messages are handled between network elements. Exploitable by attackers to bypass authentication, intercept user data, or conduct billing fraud.
Defense for carriers: Ensure your mobile service provider is aware of Diameter protocol vulnerabilities and is actively working to secure them.
End-to-End Encryption: Implement strong encryption methods (e.g., TLS) for Diameter messages to protect data in transit and prevent interception.
Strong Authentication: Use robust authentication mechanisms, such as digital certificates and mutual authentication, to verify the identity of both the sender and receiver.
Message Integrity Checks: Apply cryptographic checksums or message integrity codes to Diameter messages to detect any unauthorized alterations during transmission.
Replay Protection Mechanisms: Incorporate sequence numbers or timestamps in Diameter messages to prevent replay attacks and ensure message freshness.
Access Control Lists (ACLs): Enforce strict ACLs to limit which network elements can communicate via Diameter, reducing exposure to potential attacks.
Intrusion Detection Systems (IDS): Deploy IDS to monitor Diameter traffic for suspicious activity and generate alerts for potential security incidents.
Regular Security Audits: Conduct periodic audits and assessments of Diameter configurations and implementations to identify vulnerabilities and ensure adherence to security best practices.
Security Policy Development: Establish comprehensive security policies specific to Diameter protocols, outlining acceptable usage, access controls, and incident response procedures.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
SIP (Session Initiation Protocol) Attacks: SIP is used to initiate and terminate voice over IP (VoIP) communications. Attackers can exploit poorly secured SIP setups to eavesdrop on calls or launch denial-of-service (DoS) attacks.
Defense for service providers: Secure SIP communications using encryption protocols like TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol).
Encryption: Utilize Secure SIP (SIPS) with Transport Layer Security (TLS) to encrypt SIP signaling messages, protecting against eavesdropping.
Strong Authentication: Implement robust authentication methods (e.g., digest authentication) for SIP accounts to prevent unauthorized access and spoofing.
Firewalls: Deploy SIP-aware firewalls to filter SIP traffic, detect malicious activities, and protect against DoS attacks.
Rate Limiting: Apply rate limiting on SIP requests to prevent flooding and mitigate the risk of DoS attacks.
Network Segmentation: Isolate VoIP traffic from other network traffic to enhance security and minimize the impact of potential attacks.
Regular Security Audits: Conduct periodic audits of SIP configurations and security settings to identify vulnerabilities and ensure best practices are followed.
Intrusion Detection and Prevention Systems (IDPS): Use IDPS to monitor SIP traffic for unusual patterns and automatically respond to potential threats.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
S1-AP (S1 Application Protocol): Vulnerabilities: Susceptible to flooding attacks and session establishment attacks, leading to service degradation. Attackers can send large volumes of signaling messages, overwhelming the network infrastructure and causing outages or service disruptions.
Defense for carriers:
Rate Limiting: Implement rate limiting on signaling messages to prevent flooding and reduce the impact of attacks.
Anomaly Detection: Utilize anomaly detection systems to identify and mitigate abnormal signaling traffic patterns indicative of flooding attacks.
Firewalls and Intrusion Prevention Systems (IPS): Deploy robust firewalls and IPS to filter out malicious signaling traffic and protect network elements.
Authentication and Encryption: Enforce strong authentication mechanisms and encryption protocols to secure signaling messages, reducing the risk of unauthorized access.
Network Segmentation: Implement network segmentation to isolate critical network components, minimizing the impact of potential attacks on the overall infrastructure.
Regular Security Audits: Conduct periodic security audits and penetration testing to identify and address vulnerabilities in the network infrastructure.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
X2-AP (X2 Application Protocol): Vulnerabilities: Exposed to signaling storms and DoS attacks, particularly during handovers between eNodeBs (base stations). Attackers can exploit handover processes to create signaling overloads, causing interruptions in connectivity.
Defense for carriers:
Load Balancing: Implement load balancing mechanisms across eNodeBs to distribute traffic evenly and mitigate the risk of signaling storms during handovers.
Handover Optimization: Optimize the handover process by using predictive algorithms to reduce the frequency of handovers and limit unnecessary signaling.
Rate Limiting: Apply rate limiting to signaling messages to prevent overload conditions and ensure that the network can handle legitimate traffic effectively.
Anomaly Detection Systems: Deploy systems to monitor and detect unusual signaling patterns, enabling rapid response to potential attacks or overload situations.
Redundancy and Failover Mechanisms: Implement redundant pathways and failover mechanisms within the network to maintain connectivity during peak signaling conditions or potential attacks.
Security Policies and Access Control: Enforce strict security policies and access controls to limit who can initiate handover processes and prevent unauthorized signaling attempts.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
GTP (GPRS Tunneling Protocol): Still used in 5G for tunneling data between network nodes. Vulnerabilities: Session hijacking, DoS attacks, and traffic redirection are still concerns due to GTP weaknesses in the control and user plane. Exploitable to disrupt user sessions, intercept data, or overload network nodes by exploiting session management weaknesses.
Defense for carriers:
Encryption: Implement strong encryption protocols (e.g., IPsec) for GTP tunnels to protect data in transit and safeguard against interception.
Authentication Mechanisms: Enforce robust authentication methods for session initiation and management to prevent unauthorized access and session hijacking.
Access Control Lists (ACLs): Utilize ACLs to restrict GTP traffic and ensure that only legitimate and authorized nodes can participate in the tunneling process.
Traffic Monitoring and Anomaly Detection: Deploy systems to continuously monitor GTP traffic for unusual patterns or behaviors, enabling quick identification and response to potential attacks.
Session Management Controls: Enhance session management processes to include timeout mechanisms and periodic re-authentication to limit the duration of sessions and reduce hijacking risk.
Network Segmentation: Segregate GTP traffic from other network functions to contain potential breaches and limit the impact of attacks.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
NAS (Non-Access Stratum): NAS is still used in 5G for signaling between the User Equipment (UE) and the core network. Vulnerabilities: Downgrade attacks: In mixed environments (non-standalone 5G), attackers can force a device to connect to less secure 4G or even 2G networks, exposing communications to eavesdropping or interception. Replay attacks and impersonation remain a risk, especially in edge cases of transitioning between 4G and 5G networks. Allows attackers to downgrade devices to insecure connections, making it easier to exploit older vulnerabilities or intercept user traffic.
Defense for carriers:
Secure Authentication: Implement strong authentication protocols, such as 5G Authentication and Key Agreement (5G-AKA), to validate user identity and prevent unauthorized access.
Encryption: Utilize robust encryption for NAS signaling messages to protect against eavesdropping and interception during transmission.
Integrity Protection: Ensure that all NAS messages are integrity-protected to detect any tampering or replay attacks on the signaling data.
Network Detection: Use network detection mechanisms to identify and block downgrade attempts, ensuring devices maintain connections with the most secure available network.
Dynamic Configuration: Allow user equipment (UE) to dynamically adapt and select the most secure network type based on current conditions and security assessments.
Regular Security Updates: Maintain up-to-date security protocols and implement regular updates to address vulnerabilities and improve overall system resilience.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
5G Based Attacks:
5G has introduced new security features to mitigate these vulnerabilities, such as: Stronger encryption for both signaling and data. Mutual authentication between the user equipment and the network. Enhanced privacy features to protect user identities from being easily tracked or intercepted. Standalone architecture (SA) reduces the attack surface by relying solely on 5G core protocols rather than legacy LTE infrastructure.
While 5G has introduced several security improvements, especially in the standalone (SA) architecture, it is still vulnerable to some of the same threats as 4G due to shared protocols and the complexity of new technologies. 5G is still evolving, early deployments (especially non-standalone 5G) are more vulnerable to inherited weaknesses from 4G LTE.
HTTP/2 Attacks (in 5G core): HTTP/2 replaces the Diameter protocol in 5G for control plane signaling. Vulnerabilities: HTTP/2 amplification attacks and vulnerabilities related to header compression could be exploited to overload network elements. MITM attacks can occur if encryption is not implemented or configured properly. Attackers could exploit vulnerabilities in HTTP/2 to overload network functions, causing degradation in service quality or availability.
Defense by carriers: To defend against HTTP/2 vulnerabilities in 5G core networks, several strategies can be employed.
Rate limiting controls user requests, mitigating amplification attacks, while strong encryption (e.g., TLS 1.3) prevents Man-in-the-Middle (MITM) attacks.
Ensuring input validation and effective connection management helps block malicious payloads and reduce overload risks.
Implementing robust monitoring and logging systems allows for quick detection of unusual traffic patterns, and network segmentation can isolate critical components to contain breaches.
Regular security updates, along with Intrusion Detection and Prevention Systems (IDPS) and Web Application Firewalls (WAFs), enhance protection.
Conducting security audits ensures ongoing vigilance against potential vulnerabilities.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
NGAP (Next-Generation Application Protocol): Vulnerabilities: As a new protocol for signaling between the 5G core and the gNodeB, NGAP may have early-stage vulnerabilities like signaling manipulation and denial of service (DoS). Attackers may exploit the NGAP interface to manipulate call setup, session establishment, or mobility management processes.
Defense for carriers:
Secure Authentication: Implement robust authentication mechanisms to ensure that only authorized entities can access the NGAP interface, reducing the risk of signaling manipulation.
Encryption: Utilize strong encryption protocols to protect NGAP messages during transmission, preventing attackers from intercepting or tampering with signaling data.
Rate Limiting: Apply rate limiting on NGAP messages to mitigate the risk of denial-of-service (DoS) attacks by restricting the number of requests from a single source.
Traffic Monitoring: Employ advanced monitoring tools to analyze NGAP traffic for unusual patterns or anomalies, allowing for quick detection of potential attacks.
Intrusion Detection Systems (IDS): Deploy IDS to monitor and alert on suspicious activities related to NGAP signaling, providing real-time protection against manipulation attempts.
Regular Updates and Patching: Continuously update and patch network components involved in NGAP to address vulnerabilities as they are identified.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
GTP (GPRS Tunneling Protocol): Still used in 5G for tunneling data between network nodes. Vulnerabilities: Session hijacking, DoS attacks, and traffic redirection are still concerns due to GTP weaknesses in the control and user plane. Exploitable to disrupt user sessions, intercept data, or overload network nodes by exploiting session management weaknesses.
Defences for carriers: To defend against vulnerabilities associated with the GPRS Tunneling Protocol (GTP) in 5G networks, carriers can implement several key strategies:
Authentication and Encryption: Ensure robust authentication mechanisms for all nodes communicating via GTP, coupled with strong encryption to protect data in transit, mitigating the risk of session hijacking and data interception.
GTP Traffic Filtering: Deploy firewalls and intrusion prevention systems (IPS) that can specifically identify and filter GTP traffic, blocking malicious attempts to exploit GTP vulnerabilities.
Rate Limiting and Throttling: Implement rate limiting and throttling on GTP sessions to help prevent denial-of-service (DoS) attacks by controlling the volume of traffic from individual sources.
Session Management Enhancements: Strengthen session management protocols to make it harder for attackers to hijack or manipulate sessions, such as implementing robust token validation.
Monitoring and Anomaly Detection: Use advanced monitoring tools to analyze GTP traffic for anomalies or unusual patterns that could indicate exploitation attempts, enabling quick response to potential threats.
Network Segmentation: Segment the network to isolate critical components, reducing the impact of a successful attack on GTP traffic and limiting access to sensitive data.
Regular Audits and Updates: Conduct regular security audits and updates on all components handling GTP traffic to identify and rectify vulnerabilities promptly.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
NAS (Non-Access Stratum): NAS is still used in 5G for signaling between the User Equipment (UE) and the core network. Vulnerabilities: Downgrade attacks: In mixed environments (non-standalone 5G), attackers can force a device to connect to less secure 4G or even 2G networks, exposing communications to eavesdropping or interception. Replay attacks and impersonation remain a risk, especially in edge cases of transitioning between 4G and 5G networks. Allows attackers to downgrade devices to insecure connections, making it easier to exploit older vulnerabilities or intercept user traffic.
Defences for carriers: To defend against vulnerabilities associated with the Non-Access Stratum (NAS) in 5G networks, carriers can implement the following key strategies:
Strong Authentication Mechanisms: Use robust authentication protocols to verify the identity of User Equipment (UE) before establishing connections, reducing the risk of impersonation and replay attacks.
Encryption: Ensure that all NAS signaling messages are encrypted to protect against eavesdropping and interception, especially during transitions between 4G and 5G networks.
Downgrade Attack Mitigation: Implement mechanisms to detect and prevent downgrade attacks. This can include enforcing policies that prioritize connections to the most secure available network, such as 5G, and rejecting attempts to connect to older, less secure networks.
Network Slicing: Utilize network slicing to create isolated environments for different services or user groups, enhancing security and minimizing the impact of potential attacks.
Anomaly Detection Systems: Deploy advanced monitoring systems that analyze NAS signaling patterns for unusual activity, enabling quick detection of potential threats such as replay attacks.
Regular Security Updates: Ensure that all network components are regularly updated with the latest security patches and configurations to protect against known vulnerabilities.
User Equipment Security: Encourage or mandate that users enable device security features, such as keeping software up to date and using strong authentication methods.
Education and Awareness: Provide guidance and resources to users regarding the importance of connecting to secure networks and recognizing potential threats, such as suspicious behavior indicating a downgrade attack.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
SDAP (Service Data Adaptation Protocol): Vulnerabilities: Being a new protocol, SDAP is still being tested, and early deployments may expose potential QoS manipulation attacks, allowing attackers to downgrade or disrupt specific types of traffic.
Exploitable to manipulate Quality of Service (QoS), potentially leading to service disruptions for priority data like emergency calls or critical services.
Defences for carriers: To defend against vulnerabilities associated with the Service Data Adaptation Protocol (SDAP) in 5G networks, carriers can implement several key strategies:
Strong Authentication Mechanisms: Use robust authentication protocols to verify the identity of User Equipment (UE) before establishing connections, reducing the risk of impersonation and replay attacks.
Encryption: Ensure that all NAS signaling messages are encrypted to protect against eavesdropping and interception, especially during transitions between 4G and 5G networks.
Downgrade Attack Mitigation: Implement mechanisms to detect and prevent downgrade attacks. This can include enforcing policies that prioritize connections to the most secure available network, such as 5G, and rejecting attempts to connect to older, less secure networks.
Network Slicing: Utilize network slicing to create isolated environments for different services or user groups, enhancing security and minimizing the impact of potential attacks.
Anomaly Detection Systems: Deploy advanced monitoring systems that analyze NAS signaling patterns for unusual activity, enabling quick detection of potential threats such as replay attacks.
Regular Security Updates: Ensure that all network components are regularly updated with the latest security patches and configurations to protect against known vulnerabilities.
User Equipment Security: Encourage or mandate that users enable device security features, such as keeping software up to date and using strong authentication methods.
Education and Awareness: Provide guidance and resources to users regarding the importance of connecting to secure networks and recognizing potential threats, such as suspicious behavior indicating a downgrade attack.
Defense for small business clients: Good small business cyber hygiene mentioned in this article.
Partner with a Reputable Mobile Carrier (Large List of Countries)
One of the most effective ways to protect your business is to partner with a mobile carrier that takes security seriously. Many telecom providers are aware of SS7 and other vulnerabilities and have implemented solutions to mitigate these risks. Be sure to ask your provider about their security practices and inquire about:
Their SS7 protection measures.
Support for encrypted voice and data services.
Their readiness for emerging threats in the 5G era.
Mobile carriers globally have been working to improve their SS7 security, although vulnerabilities still exist. SS7 (Signaling System 7) is an outdated telecommunications protocol that lacks built-in security and is vulnerable to interception, call redirection, and even fraud. Several carriers have adopted protective measures like firewalls, encryption, and continuous monitoring to mitigate these threats. However, improvements vary by region and provider.
Below is a global overview list based on continents of reputable telecom providers that have made significant strides in securing their networks, including SS7 and future protocols like Diameter in the 5G era (note there may be others but these are the ones I found):
Europe:
Germany: Deutsche Telekom leads in SS7 security, implementing firewalls and monitoring suspicious activity. Vodafone Germany also provides secure services.
UK: BT (British Telecom) and Vodafone UK are known for strong SS7 and LTE security measures.
France: Orange has advanced protections and is investing heavily in securing SS7 and 5G protocols.
Italy: TIM (Telecom Italia Mobile) has integrated SS7 firewalls and supports encrypted communication.
Norway: Telenor is the leading provider, offering comprehensive network security measures, including SS7 firewalls and encryption services. Telia Norway also provides strong SS7 protections and is working on future-proofing its 5G infrastructure.
Sweden: Telia has robust security measures for SS7 and is leading 5G security implementation. Tele2 also has implemented SS7 firewalls and encryption to ensure secure communication.
Spain: Movistar, Orange Spain, and Vodafone Spain are leaders in securing their networks against SS7 attacks. Movistar, in particular, has robust monitoring and encryption in place.
Portugal: MEO and Vodafone Portugal have implemented SS7 firewalls and are focusing on securing communications as they transition to 5G.
Greece: Cosmote, the largest provider, has advanced security measures, including SS7 firewalls and encrypted communications. Vodafone Greece has also been proactive in securing their mobile infrastructure.
Finland: Elisa and Telia Finland are both leaders in mobile security in the region. They have SS7 protections and are advancing in securing their 5G networks.
Denmark: TDC Group is the primary provider, offering strong SS7 security and investing in 5G security to protect against newer vulnerabilities. 3 Denmark is also known for its focus on secure communications, with additional firewalls in place for SS7 protection.
Ukraine: Kyivstar, Vodafone Ukraine, and Lifecell have taken steps to block certain access to SS7 and improve security in the face of geopolitical risks.
Poland: Orange Polska and Play are considered secure networks with ongoing efforts to enhance SS7 security.
Russia: MTS and Beeline provide better SS7 protections compared to other regional players, although challenges remain in broader network security. Although I'm dubious about their security practices when basic human rights are rescinded in some aspects of life and the surveillance state is ripe in Russia.
Switzerland: Swisscom and Sunrise have robust SS7 protection, employing advanced firewalls and continuous network monitoring to prevent vulnerabilities.
Austria: A1 Telekom Austria has implemented significant measures to secure its SS7 systems and is also preparing for 5G vulnerabilities. Magenta Telekom provides strong encryption and SS7 protection for businesses.
Hungary: Magyar Telekom is the leading provider, with well-established SS7 protections and ongoing efforts to secure its 5G networks. Telenor Hungary also focuses on securing both legacy and new mobile technologies.
Czech Republic: O2 Czech Republic and Vodafone Czech Republic are strong players, offering SS7 firewalls and encrypted voice/data services for businesses.
Romania: Orange Romania and Vodafone Romania both offer advanced SS7 security measures. Orange, in particular, has firewalls and encryption in place.
Bulgaria: Vivacom and A1 Bulgaria focus on securing both SS7 and their evolving 5G networks to prevent vulnerabilities.
Serbia: Telekom Srbija is the largest provider, known for its SS7 security improvements and investment in 5G readiness.
Netherlands: KPN and VodafoneZiggo are reputable for having SS7 firewalls, encryption services, and strong monitoring systems to detect suspicious activities.
Belgium: Proximus and Orange Belgium are investing heavily in SS7 and 5G security measures, employing advanced firewalls and encryption for safe communication.
Ireland: Vodafone Ireland and Three Ireland offer strong security features, including SS7 firewalls, and are focusing on emerging 5G threats.
There is small islands and other countries. TBC
North America:
United States: Major carriers like AT&T, Verizon, and T-Mobile have implemented multi-layered security, including SS7 firewalls and encryption. They also focus heavily on transitioning to 5G networks with enhanced security features.
Canada: Bell Canada, Rogers, and Telus are known for their robust SS7 and 5G security features.
Mexico: Telcel and Movistar Mexico offer strong SS7 protections and encrypted communication options for business customers.
Nicaragua: Claro Nicaragua: As part of América Móvil’s network, Claro Nicaragua has SS7 security measures in place and is working to improve overall communications security. Tigo Nicaragua: Tigo has invested in SS7 firewalls and security technologies to protect its customers, and they are focusing on 5G implementation.
Belize: Digi (Belize Telemedia Ltd.), the leading telecom provider in Belize, has worked on strengthening SS7 security and implementing modern encryption services for its network.
Guatemala: Claro Guatemala: As part of América Móvil, Claro has SS7 protection measures and is implementing stronger encryption as they expand 4G and prepare for 5G networks. Tigo Guatemala: Tigo has taken steps to strengthen its SS7 security, with a focus on preventing call interception and data theft. The company is also advancing its 5G infrastructure to address emerging security concerns.
El Salvador: Claro El Salvador: Claro offers SS7 firewalls and secure communications, benefiting from América Móvil’s regional security practices. They are also improving security as they develop 5G infrastructure. Tigo El Salvador: Tigo, a major telecom provider in El Salvador, has focused on SS7 protection, including firewalls and encryption services, with plans to enhance security as 5G becomes more prevalent.
Honduras: Claro Honduras: Claro has implemented SS7 protections and is enhancing encryption measures across its network in Honduras, while transitioning to 5G infrastructure in the region. Tigo Honduras: Tigo Honduras has deployed SS7 firewalls and continuously monitors for suspicious activities, aiming to improve data security and communications as they roll out 5G.
Costa Rica: Kolbi (ICE): The state-owned Instituto Costarricense de Electricidad (ICE) operates under the Kolbi brand, which has implemented SS7 security features, such as firewalls, and is working on improving 5G network security. Claro Costa Rica: Claro has focused on enhancing SS7 security and encryption services as part of its regional network, ensuring strong communication protection for its users.
Panama: Claro Panama: Claro Panama follows América Móvil’s regional standards for SS7 protection, including firewalls and enhanced encryption, as they prepare for future 5G security measures. Tigo Panama: Tigo has implemented SS7 protections and is working on securing its 5G infrastructure to prevent interception and fraud.
South America:
Brazil: Claro and Vivo are two of the largest telecom providers in the region, both working to strengthen SS7 defenses. TIM focuses on enhancing security protocols and has defenses against signaling threats.
Argentina: Movistar and Claro Argentina have implemented some SS7 protections and offer encryption services for voice and data.
Chile: Entel implements various security measures, including protections against SS7 vulnerabilities.
Colombia: Tigo (Millicom) commits to enhancing cybersecurity, including SS7 protections.
Peru: Entel works on securing its network against SS7 and other vulnerabilities.
Paraguay: Tigo (Millicom) has made strides in securing its telecommunications infrastructure.
Uruguay: Claro (América Móvil) engages in network security enhancements, including protections related to SS7.
Bolivia: Entel actively enhances network security and works on SS7 protections. Tigo (Millicom) focuses on security improvements for its telecommunications services.
Ecuador: Claro (América Móvil) invests in security measures, including protections against SS7 vulnerabilities. Movistar (Telefónica) implements various security protocols to safeguard communications.
Venezuela: Movistar (Telefónica) works on improving network security, including SS7 protections. Digitel engages in efforts to enhance cybersecurity for its services.
Suriname: Telesur implements security measures, although detailed information on SS7 protections may be limited.
Guyana: GTT (Guyana Telephone and Telegraph) focuses on enhancing network security, including protections against various vulnerabilities.
French Guiana: Orange engages in security improvements, including SS7 protections.
Asia-Pacific:
Australia: Telstra and Optus have been proactive in securing SS7 and are focusing on 5G security. If you are using their resellers (like AldiMobile or Woolworths Mobile or other resellers of the Optus and Telstra networks), you benefit from the same back-end security.
Japan: NTT DoCoMo, SoftBank, and KDDI are leading the region in both SS7 and 5G security efforts, with extensive monitoring and encryption protocols in place.
South Korea: SK Telecom and KT Corporation are known for high levels of security, including protections against SS7 attacks and preparation for 5G vulnerabilities.
New Zealand: Spark engages in ongoing security improvements, including protections related to SS7. Vodafone New Zealand invests in network security measures to protect communications.
South Korea: SK Telecom actively works on security enhancements, including protections against SS7 threats. KT Corporation Implements comprehensive security measures for its network services.
North Korea: I'm not sure what's happening there so be very very cautions in a surveillance state with virtually no human rights.
Singapore: Singtel Invests in security protocols, including those addressing SS7 vulnerabilities. StarHub Engages in network security improvements, including protections against signaling threats.
China: China Mobile Implements various security measures, including SS7 protections. China Unicom focuses on enhancing network security to mitigate risks. Although I'm dubious about their security practices when some basic human rights are rescinded in some aspects of life and the surveillance state is ripe in China with their GREAT WALL.
India: Reliance Jio works on securing its network infrastructure against various vulnerabilities. Bharti Airtel engages in implementing advanced security measures, including SS7 protections.
There is small islands and other countries. TBC
Africa:
South Africa: Vodacom and MTN provide secure mobile communications, with an increased focus on SS7 security and monitoring tools.
Nigeria: MTN Nigeria has been working on improving SS7 and general mobile network security as part of broader initiatives to combat cybercrime.
Kenya: Safaricom implements security measures, including protections related to SS7 vulnerabilities. Airtel Kenya focuses on improving cybersecurity across its network.
Egypt: Orange Egypt invests in network security enhancements, including SS7 protections. Vodafone Egypt engages in various security measures to protect telecommunications.
Ghana: MTN Ghana implements security protocols, including protections against SS7 vulnerabilities. Vodafone Ghana works on enhancing network security for its services.
Tanzania: Vodacom Tanzania focuses on improving network security, including SS7 protections.Tigo Tanzania engages in security measures to safeguard communications.
Uganda: MTN Uganda invests in security measures, including SS7 protections. Airtel Uganda works on enhancing cybersecurity across its network.
There are other countries. TBC
Middle East:
United Arab Emirates UAE: Etisalat and du offer secure services with efforts to improve SS7 and 5G security, with government backing for cybersecurity initiatives.
Saudi Arabia: STC (Saudi Telecom Company) is working towards securing SS7 and introducing 5G with enhanced security protocols.
Qatar: Ooredoo engages in robust security practices, including protections against SS7 vulnerabilities. Vodafone Qatar focuses on enhancing network security for its services.
Kuwait: Zain implements security protocols, including SS7 protections for its telecommunications services. VIVA works on enhancing network security to mitigate various threats.
Bahrain: Batelco invests in security enhancements, including protections related to SS7 vulnerabilities. Zain Bahrain focuses on improving network security across its services.
Oman: Omantel engages in ongoing security improvements, including SS7 protections. Ooredoo Oman implements various security measures to protect communications.
There are other countries. TBC
When travelling & roaming:
But what about if you insert a SIM card from another country or are roaming when travelling? You need to get a sim card from a provider in that country that is reputable - usually the top telecommunications providers in your country. When traveling, you might be tempted to use your home SIM or roam with a partner network. However, it’s better to purchase a local SIM from a reputable carrier in the country you visit. Top providers often have partnerships that extend their security protections, but it’s always advisable to use a SIM card from providers known for their strong security posture. But not all countries have reputable carriers or carriers that have good security standards.
Reputation & standards are important for carriers:
In general, mobile operators are aware of the weaknesses in SS7 and are taking steps to address them, but the security of the system often depends on global cooperation, as carriers are interconnected. Moving forward, 5G networks are expected to introduce new complexities, making comprehensive multi-protocol security strategies necessary.
By partnering with a secure mobile carrier, your business can mitigate the risks associated with outdated telecommunications protocols while preparing for future threats in the evolving mobile landscape.
What if I choose to keep using SMS 2FA?
Using SMS for two-factor authentication (2FA) comes with several risks, primarily due to vulnerabilities in the underlying technology and the increasing sophistication of cyberattacks.
Key risks of using SMS 2FA include:
1. SIM Swapping (SIM Hijacking)
Description: Attackers can impersonate you to your mobile provider and convince them to port your phone number to another SIM card.
Risk: Once the attacker has control of your number, they can intercept 2FA codes sent via SMS, potentially gaining access to your online accounts, including bank accounts and email.
2. SS7 Vulnerability
Description: SS7 (Signaling System 7) is a global telecommunications protocol that manages how SMS messages and calls are routed.
Risk: Hackers can exploit vulnerabilities in the SS7 protocol to intercept SMS messages, even if they don’t have access to your physical phone. This allows them to capture authentication codes remotely.
3. SMS Phishing (Smishing)
Description: Attackers send fraudulent SMS messages pretending to be from a legitimate company, asking users to reveal sensitive information.
Risk: Users might be tricked into providing sensitive details or redirected to malicious websites, giving attackers access to accounts without needing to bypass 2FA.
4. SIM Cloning
Description: Attackers can clone a victim's SIM card and receive all their messages and calls.
Risk: If an attacker clones your SIM card, they can intercept your SMS 2FA codes and access your accounts.
5. Device Theft
Description: If someone steals your phone and can unlock it, they can view any SMS-based 2FA codes directly.
Risk: Without needing to exploit network vulnerabilities, an attacker can access SMS 2FA codes if they have physical access to your device.
6. Man-in-the-Middle (MitM) Attacks
Description: In some cases, attackers can intercept SMS messages during transmission.
Risk: This type of attack can allow someone to capture authentication codes in transit and gain unauthorized access to accounts.
Convenience vs. Security
Convenience: SMS is easy to set up and use for many users, making it a popular 2FA option.
Security: Despite the convenience, the security risks associated with SMS-based 2FA have led many security experts to recommend more secure alternatives, such as authenticator apps or hardware security keys.
Given these risks, it's generally advisable to switch to more secure methods of 2FA, such as using authentication apps (e.g., Google Authenticator, Authy) or hardware-based keys (e.g., YubiKey), which are not vulnerable to SS7 and SIM-swapping attacks.
What are dangers of switching to other 2FA methods?
While SMS 2FA has significant vulnerabilities, alternative methods are not completely immune to threats either so you need to know exactly what are its weaknesses to be informed. Below are some of the main alternatives to SMS for two-factor authentication (2FA) and the potential risks associated with each:
1. Authenticator Apps (Google Authenticator, Authy, etc.) Risks:
Device Theft: If someone gains physical access to your phone or device where the authenticator app is installed, they could access the 2FA codes.
Backup & Migration: If the app is not backed up properly (like in Google Authenticator), losing the phone can make it difficult or impossible to recover accounts tied to the app.
Phishing: Attackers may use phishing techniques to trick users into revealing their 2FA codes.
App-Specific Vulnerabilities: If the app itself has security flaws, attackers may exploit those, although this is rare compared to SMS.
2. Hardware Security Keys (YubiKey, Google Titan, etc.) Risks:
Physical Theft: If someone physically steals your hardware key, they can use it to access accounts, especially if the key isn't protected by additional PIN or password measures.
Loss of Key: Losing the key can lock you out of accounts, making it essential to have a backup key or alternate recovery method.
Side-Channel Attacks: As seen with the YubiKey vulnerability (Tom's Hardware), side-channel attacks, though rare and technically complex, can potentially allow attackers to clone the key in high-value targets (such as espionage or corporate theft scenarios).
3. Biometric Authentication (Fingerprint, Face ID) Risks:
Spoofing: Attackers can sometimes spoof biometric data using high-resolution images or fake fingerprints, although modern systems have become more sophisticated in preventing this.
Privacy Issues: Biometric data, once compromised, cannot be changed like a password, making it a permanent security risk.
Hardware Issues: If the biometric sensor is faulty or not well-calibrated, it could allow unauthorized access or lock the legitimate user out.
4. Email-Based 2FA Risks:
Email Account Compromise: If an attacker gains access to your email account (through phishing, weak passwords, etc.), they can intercept 2FA codes and password reset requests.
Less Secure Than Other Methods: Email accounts are often more easily compromised than methods like hardware keys or authenticator apps, making email 2FA less secure.
5. Push Notifications (via Authy, Duo, etc.) Risks:
Push Hijacking: Attackers can sometimes use social engineering or malware to manipulate users into approving malicious push requests.
Device Vulnerabilities: Push notifications rely on the security of the device they are sent to. A compromised device (e.g., through malware) could allow attackers to intercept or approve requests without your knowledge.
6. Time-Based One-Time Passwords (TOTP) Risks:
Device Theft or Loss: If the device storing the TOTP generator (like Google Authenticator) is lost or stolen, the attacker can potentially access the codes.
Code Interception: TOTP codes can be phished if the attacker tricks the user into submitting the code to a malicious website.
While alternatives to SMS-based 2FA (like authenticator apps, hardware keys, or biometrics) are generally more secure, they each come with their own set of risks, particularly in scenarios of physical theft, phishing, or advanced attacks. The best approach often involves using a combination of these methods (e.g., hardware key (backup) + authenticator app (primary) + email (backup) + recovery codes (backup)), ensuring you have secure backups, and staying vigilant against phishing or social engineering attacks.
Conclusion
While SS7 and similar mobile protocol attacks may seem like distant threats, they can have a devastating impact on small businesses, especially if they compromise sensitive customer data or critical business communications. By being proactive and implementing the security measures mentioned above, small businesses can significantly reduce their risk and safeguard their mobile communications from these sophisticated attacks.
You will have to weigh the pros and cons of which approach you take. Depends on whether you are ok with SMS method and you don't have a lot to lose and need the convenience. But for most small businesses the alternatives to sms are best with careful planning. I think telcos and software and website designers need to work more together and stamp out these vulnerabilities and give us more options to verify - what about the potential of Cryptocurrency verification platforms such as Worldcoin? What about government or corporate run 2 factor verification methods? Will AI solved the problem? Let's wait and see.
Always remember, securing your business is an ongoing process. Regular updates, training, and a layered approach to security are key to staying protected in an evolving digital landscape.
If you are a small business owner in Australia and need help with your cybersecurity needs or want to learn more about how to secure your mobile communication systems, feel free to book a Cybersecurity session for expert advice and solutions.
Does humanity need to mature and stop cyber attacking each other? I believe this is truly the only solution to solve cybersecurity issues for good. Stop attacking and sending garbage to damage or steal from one another. Goes back to the 10 commandments and principles from Christs teachings: What you want others to do to you, you must also likewise do to them. But for now in this hate filled world, the best advice I can give: Trust no one and use discernment
Safe computing,
Michael Plis
References
Due to the complexity of this article I used a combination of my own network engineering knowledge, ChatGPT and Google Gemini to do the research,writing and also assisting me in editing. So if there is errors or something could be referenced that should be please DM me on all major social media profiles either via the social media channels listed at the top of the article or at the bottom. Thanks.
Veritasium Youtube Channel video "Exposing the Flaw in Our Phone System" quotes at the start of paragraph. Refer to the video for the credits of whose assistance they used to prepare their video and do their own research
They also used the help of:
Linus Sebastian and the team at Linus Tech Tips - you can check them out in Youtube at @LinusTechTips
Alexandre De Oliveira and Karsten Nohl
Crofton Black at Lighthouse Reports, Cathal McDaid at Enea, and James Hobson on Youtube at @hacksmith
Plus other references they list are useful to read through.
Comments