Skip to main content
SpringerLink
Log in

Attacks to mobile networks using SS7 vulnerabilities: a real traffic analysis

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

The SS7 (Signaling System n\(^o\) 7) protocol stack is still in use today to interconnect networks from different mobile telecommunication providers. These protocols were proposed in the 80 s, taking into account mutual trust relationships between participants. With the success of IP communications and the growth in the number of carriers, mobile networks have become exposed to many SS7 attacks. In this paper, we discuss important threats to SS7 networks as well as the main countermeasures. We also analyze a dataset obtained from a major telecommunication provider in Brazil. From this dataset, we observe that thousands of threats are triggered daily, that the main attacks are proportional along the time, that attacks are concentrated on a subset of attack sources as well as on a subset of victims, and that attack orchestration is possible but still not clear. These findings justify all the concerns regarding SS7 vulnerabilities and encourage new proposals towards attack mitigation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Availability of data and materials

Not applicable.

Code Availability

Not applicable.

Notes

  1. The authors would like to thank Flaticon for the icons of the BTS/NodeB, the telephone, and the globe (https://www.flaticon.com/).

References

  1. 3GPP: Mobile Application Part (MAP) specification. (1999). Technical specification (TS), 3rd generation partnership project (3GPP). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1585

  2. Ateniese, G., Herzberg, A., Krawczyk, H., & Tsudik, G. (1999). Untraceable mobility or how to travel incognito. Computer Networks, 31(9), 871–884.

    Article  Google Scholar 

  3. Bais, A., Penzhorn, W. T., & Palensky, P. (2006). Evaluation of umts security architecture and services. In 4th IEEE international conference on industrial informatics (INDIN) (pp. 570–575). IEEE

  4. Bautista, J. E. V., Sawhney, S., Shukair, M., Singh, I., Govindaraju, V. K., & Sarkar, S. (2013). Performance of CS fallback from LTE to UMTS. IEEE Communications Magazine, 51(9), 136–143.

    Article  Google Scholar 

  5. Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., & Weippl, E. (2014). IMSI-catch me if you can: IMSI-catcher-catchers. In 30th annual computer security applications conference (ACSAC) (pp. 246–255)

  6. Engel, T. (2008). Locating mobile phones using signalling system #7. 25th Chaos Communication Congress. https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf

  7. Gold, S. (2011). Cracking cellular networks via femtocells. Network Security, 2011(9), 5–8.

    Article  Google Scholar 

  8. GSMA: IR.82 SS7 security network implementation guidelines (2016). Tech. rep., GSM Association. https://www.gsma.com/security/resources/ir-82-ss7-security-network-implementation-guidelines-v5-0/. Version 5.0

  9. GSMA: The mobile economy 2019 (2019). Tech. rep., GSM Association. https://www.gsma.com/r/mobileeconomy/

  10. GSMA: The Mobile Economy 2020 (2020). Tech. rep., GSM Association. https://www.gsma.com/r/mobileeconomy/

  11. Holtmanns, S., Rao, S. P., & Oliver, I. (2016). User location tracking attacks for LTE networks using the interworking functionality. In IFIP Networking conference (Networking) and workshops (pp. 315–322). IEEE

  12. Ilascu, I. (2021). Lightbasin hacking group breaches 13 global telecoms in two years. https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ . Online; Accessed in December 30, 2022

  13. Jensen, K., Do, T. V., Nguyen, H. T., & Arnes, A. (2016). Better protection of SS7 networks with machine learning. In 6th international conference on IT convergence e security (ICITCS) (pp 1–7). IEEE

  14. Kalenderi, M., Pnevmatikatos, D., Papaefstathiou, I., & Manifavas, H. (2012). Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAs. In 22nd international conference on field programmable logic and applications (FPL) (pp. 747–753)

  15. Kulkarni, P., & Oviedo, R. M. (2014). Should operators switch-off their legacy infrastructure or re-purpose it for M2M? In IEEE international symposium on a world of wireless, mobile and multimedia networks (WoWMoM) (pp. 1–6). IEEE

  16. Liu, G., Huang, Y., Chen, Z., Liu, L., Wang, Q., & Li, N. (2020). 5G deployment: Standalone vs. non-standalone from the operator perspective. IEEE Communications Magazine, 58(11), 83–89.

    Article  Google Scholar 

  17. Nohl, K. (2014). Mobile Self-Defense. Tech. rep., Security Research Labs . https://fahrplan.events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf

  18. Oracle: EAGLE Database Administration- GTT User’s Guide (2022). https://docs.oracle.com/en/industries/communications/eagle/46.9/index.html

  19. Peeters, C., Abdullah, H., Scaife, N., Bowers, J., Traynor, P., Reaves, B., & Butler, K. (2018). Sonar: Detecting SS7 redirection attacks with audio-based distance bounding. In IEEE symposium on security and privacy (SP) (pp. 567–582). IEEE

  20. Pell, S. K., & Soghoian, C. (2014). Your secret Stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy. Harvard Journal of Law and Technology, 28(1)

  21. Rao, S. P., Kotte, B. T., & Holtmanns, S. (2016). Privacy in LTE networks. In 9th EAI international conference on mobile multimedia communications (pp. 176–183). ACM

  22. Roth, J. D., Tummala, M., McEachen, J. C., & Scrofani, J. W. (2017). On location privacy in LTE networks. IEEE Transactions on Information Forensics and Security, 12(6), 1358–1368.

    Article  Google Scholar 

  23. Rupprecht, D., Dabrowski, A., Holz, T., Weippl, E., & Pöpper, C. (2018). On security research towards future mobile network generations. IEEE Communications Surveys & Tutorials, 20(3), 2518–2542.

    Article  Google Scholar 

  24. Schaeken, V. (2019). Vulnerabilities, potential risks and recommendations . https://www.itu.int/en/ITU-T/Workshops-and-Seminars/102019/Documents/Vulnerabilties_and_Categories.pdf

  25. Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., & Seifert, J. (2015). Practical attacks against privacy and availability in 4G/LTE mobile communication systems. CoRR abs/1510.07563

  26. Technologies, P. (2018). SS7 vulnerabilities and attack exposure report . https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Positive-Research-2018-eng.pdf

  27. Tu, G. H., Li, C. Y., Peng, C., & Lu, S. (2015). How voice call technology poses security threats in 4G LTE networks. In 2015 IEEE conference on communications and network security (CNS) (pp. 442–450). IEEE

  28. Ullah, K., Rashid, I., Afzal, H., Iqbal, M. M. W., Bangash, Y. A., & Abbas, H. (2020). SS7 vulnerabilities—A survey & implementation of machine learning vs rule based filtering for detection of SS7 network attacks. IEEE Communications Surveys & Tutorials, 22(2), 1337–1371.

    Article  Google Scholar 

  29. Van Den Broek, F., Verdult, R., & de Ruiter, J. (2015). Defeating imsi catchers. In Proceedings of the 22nd conference on computer and communications security (SIGSAC) (pp. 340–351). ACM

  30. Zheng, Y., Huang, L., Shan, H., Li, J., Yang, Q., & Xu, W. (2017). Ghost telephonist impersonates you: Vulnerability in 4G LTE CS fallback. In IEEE conference on communications and network security (CNS) (pp 1–9). IEEE

Download references

Funding

This paper was partially supported by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior— Brasil (CAPES)—Finance Code 001, CNPq, FAPERJ grant number E-26/211.144/2019 and Grant Number E-26/202.689/2018, and FAPESP Grant Number 15/24494-8.

Author information

Authors and Affiliations

  1. GTA-PEE/COPPE-DEL/Poli, Universidade Federal do Rio de Janeiro (UFRJ), Rio de Janeiro, Brazil

    Luiza Odete H. de Carvalho Macedo & Miguel Elias M. Campista

Authors
  1. Luiza Odete H. de Carvalho Macedo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miguel Elias M. Campista
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Miguel Elias M. Campista.

Ethics declarations

Conflict of interest

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

de Carvalho Macedo, L.O.H., Campista, M.E.M. Attacks to mobile networks using SS7 vulnerabilities: a real traffic analysis. Telecommun Syst 83, 253–265 (2023). https://doi.org/10.1007/s11235-023-01018-0

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-023-01018-0

Keywords

Search

Navigation