Abstract
The SS7 (Signaling System n\(^o\) 7) protocol stack is still in use today to interconnect networks from different mobile telecommunication providers. These protocols were proposed in the 80 s, taking into account mutual trust relationships between participants. With the success of IP communications and the growth in the number of carriers, mobile networks have become exposed to many SS7 attacks. In this paper, we discuss important threats to SS7 networks as well as the main countermeasures. We also analyze a dataset obtained from a major telecommunication provider in Brazil. From this dataset, we observe that thousands of threats are triggered daily, that the main attacks are proportional along the time, that attacks are concentrated on a subset of attack sources as well as on a subset of victims, and that attack orchestration is possible but still not clear. These findings justify all the concerns regarding SS7 vulnerabilities and encourage new proposals towards attack mitigation.
Similar content being viewed by others
Availability of data and materials
Not applicable.
Code Availability
Not applicable.
Notes
The authors would like to thank Flaticon for the icons of the BTS/NodeB, the telephone, and the globe (https://www.flaticon.com/).
References
3GPP: Mobile Application Part (MAP) specification. (1999). Technical specification (TS), 3rd generation partnership project (3GPP). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1585
Ateniese, G., Herzberg, A., Krawczyk, H., & Tsudik, G. (1999). Untraceable mobility or how to travel incognito. Computer Networks, 31(9), 871–884.
Bais, A., Penzhorn, W. T., & Palensky, P. (2006). Evaluation of umts security architecture and services. In 4th IEEE international conference on industrial informatics (INDIN) (pp. 570–575). IEEE
Bautista, J. E. V., Sawhney, S., Shukair, M., Singh, I., Govindaraju, V. K., & Sarkar, S. (2013). Performance of CS fallback from LTE to UMTS. IEEE Communications Magazine, 51(9), 136–143.
Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., & Weippl, E. (2014). IMSI-catch me if you can: IMSI-catcher-catchers. In 30th annual computer security applications conference (ACSAC) (pp. 246–255)
Engel, T. (2008). Locating mobile phones using signalling system #7. 25th Chaos Communication Congress. https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
Gold, S. (2011). Cracking cellular networks via femtocells. Network Security, 2011(9), 5–8.
GSMA: IR.82 SS7 security network implementation guidelines (2016). Tech. rep., GSM Association. https://www.gsma.com/security/resources/ir-82-ss7-security-network-implementation-guidelines-v5-0/. Version 5.0
GSMA: The mobile economy 2019 (2019). Tech. rep., GSM Association. https://www.gsma.com/r/mobileeconomy/
GSMA: The Mobile Economy 2020 (2020). Tech. rep., GSM Association. https://www.gsma.com/r/mobileeconomy/
Holtmanns, S., Rao, S. P., & Oliver, I. (2016). User location tracking attacks for LTE networks using the interworking functionality. In IFIP Networking conference (Networking) and workshops (pp. 315–322). IEEE
Ilascu, I. (2021). Lightbasin hacking group breaches 13 global telecoms in two years. https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ . Online; Accessed in December 30, 2022
Jensen, K., Do, T. V., Nguyen, H. T., & Arnes, A. (2016). Better protection of SS7 networks with machine learning. In 6th international conference on IT convergence e security (ICITCS) (pp 1–7). IEEE
Kalenderi, M., Pnevmatikatos, D., Papaefstathiou, I., & Manifavas, H. (2012). Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAs. In 22nd international conference on field programmable logic and applications (FPL) (pp. 747–753)
Kulkarni, P., & Oviedo, R. M. (2014). Should operators switch-off their legacy infrastructure or re-purpose it for M2M? In IEEE international symposium on a world of wireless, mobile and multimedia networks (WoWMoM) (pp. 1–6). IEEE
Liu, G., Huang, Y., Chen, Z., Liu, L., Wang, Q., & Li, N. (2020). 5G deployment: Standalone vs. non-standalone from the operator perspective. IEEE Communications Magazine, 58(11), 83–89.
Nohl, K. (2014). Mobile Self-Defense. Tech. rep., Security Research Labs . https://fahrplan.events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
Oracle: EAGLE Database Administration- GTT User’s Guide (2022). https://docs.oracle.com/en/industries/communications/eagle/46.9/index.html
Peeters, C., Abdullah, H., Scaife, N., Bowers, J., Traynor, P., Reaves, B., & Butler, K. (2018). Sonar: Detecting SS7 redirection attacks with audio-based distance bounding. In IEEE symposium on security and privacy (SP) (pp. 567–582). IEEE
Pell, S. K., & Soghoian, C. (2014). Your secret Stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy. Harvard Journal of Law and Technology, 28(1)
Rao, S. P., Kotte, B. T., & Holtmanns, S. (2016). Privacy in LTE networks. In 9th EAI international conference on mobile multimedia communications (pp. 176–183). ACM
Roth, J. D., Tummala, M., McEachen, J. C., & Scrofani, J. W. (2017). On location privacy in LTE networks. IEEE Transactions on Information Forensics and Security, 12(6), 1358–1368.
Rupprecht, D., Dabrowski, A., Holz, T., Weippl, E., & Pöpper, C. (2018). On security research towards future mobile network generations. IEEE Communications Surveys & Tutorials, 20(3), 2518–2542.
Schaeken, V. (2019). Vulnerabilities, potential risks and recommendations . https://www.itu.int/en/ITU-T/Workshops-and-Seminars/102019/Documents/Vulnerabilties_and_Categories.pdf
Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., & Seifert, J. (2015). Practical attacks against privacy and availability in 4G/LTE mobile communication systems. CoRR abs/1510.07563
Technologies, P. (2018). SS7 vulnerabilities and attack exposure report . https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Positive-Research-2018-eng.pdf
Tu, G. H., Li, C. Y., Peng, C., & Lu, S. (2015). How voice call technology poses security threats in 4G LTE networks. In 2015 IEEE conference on communications and network security (CNS) (pp. 442–450). IEEE
Ullah, K., Rashid, I., Afzal, H., Iqbal, M. M. W., Bangash, Y. A., & Abbas, H. (2020). SS7 vulnerabilities—A survey & implementation of machine learning vs rule based filtering for detection of SS7 network attacks. IEEE Communications Surveys & Tutorials, 22(2), 1337–1371.
Van Den Broek, F., Verdult, R., & de Ruiter, J. (2015). Defeating imsi catchers. In Proceedings of the 22nd conference on computer and communications security (SIGSAC) (pp. 340–351). ACM
Zheng, Y., Huang, L., Shan, H., Li, J., Yang, Q., & Xu, W. (2017). Ghost telephonist impersonates you: Vulnerability in 4G LTE CS fallback. In IEEE conference on communications and network security (CNS) (pp 1–9). IEEE
Funding
This paper was partially supported by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior— Brasil (CAPES)—Finance Code 001, CNPq, FAPERJ grant number E-26/211.144/2019 and Grant Number E-26/202.689/2018, and FAPESP Grant Number 15/24494-8.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
de Carvalho Macedo, L.O.H., Campista, M.E.M. Attacks to mobile networks using SS7 vulnerabilities: a real traffic analysis. Telecommun Syst 83, 253–265 (2023). https://doi.org/10.1007/s11235-023-01018-0
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-023-01018-0