I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7. Philippe Langlois will talk about SCTPscan – Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:
“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.â€
SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos. In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone.Â
However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware. SCTP is a protocol that is used instead of TCP or UDP for this purpose. So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.
Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7. This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicelyâ€.
In the Internet world, of course, there is no guarantee of “nicenessâ€, and SIGTRAN links need to be locked down with tools like firewalls. In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements. You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.
However, SS7 has some advantages on its side in this war. Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on†experience that will help them find weaknesses in the network. Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network. This will work to defeat outsiders from understanding how a network is put together.
Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it. Â
Â
SS7 has been known to be vulnerable to “hackers” for a long time.
It’s just that they (the hackers) are still having too much fun with
things like XSS, buffer overflows and phishing attacks….
Just wait until they get bored……..
Ray allow me to doubt that the same category of hackers are going to work on XSS attacks and on SS7 networks.
Martyn your statement about GTT is only partially accurate. Global Title can and will be used to facilitate some forms of SS7 attacks. The main problem and you point that out will be the trust model between operators – something that makes rlogin looks like a high-security protocol.
Hi, you can access some of the tools online on the SCTP / SIGTRAN / TSTF Research website at :
http://sctp.tstf.net/index.php/SCTPscan/SCTPscan
Best regards,
Philippe.
Thanks for the link, Philippe.
Emmanuel, thanks also for your comments. I take your point about global title, and reading back on my piece I realise that they way I worded it “…work to defeat…” implies more certainty of security than I actually meant to convey. I only meant to say that it could help in terms of security, not that it would “kill all Sigtran hacks”.
Pingback: Philippe Langlois weblog
Hi Guys,
I didn’t attend the conference in Amsterdam. I was presenting at a few other conferences related to telecommunication and communication security instead.
There is something I feel that might be left out of this conversation at the very least.
ISUP is IMHO the most ‘hackable’ part of the SS7 protocol. Its the ISDN User Part – the chunk of the protocol that sets up call parameters. For instance, when looking at ISUP in my recent presentation on NGN security, covering off VoIP (because its a fairly straight forward port from SS7 to VoIP in terms of the protocol) I referenced the ease of ability in altering A and B end numbers, showing the conference audience exactly how to do it and then how to protect against it.
In so far as the standard is concerned, SIP-I has no ‘built-in’ authentication. So, spoofing A end and B end is straight forward, if you know how. Something else I touched on was SSBoundary. I mentioned it was jut like a Mime MultiPart that you see in email.
Again, because there was little designed around the security of the SSBoundary, its possible to do creative things like; open a new SSBoundary and insert malicious code, make another call, or really anything the ‘hacker’ wants…
Vendors are coming up with Biometric phones, user to phone authentication, VPNs, encryption and all these security controls, along with fraud management vendors claiming they can do ‘effective fraud management’ on VoIP. I don’t doubt that one day, perhaps some day soon, vendors might come up with robust fraud and security solutions but until then the CISSP idiots of the world are all going to buy their solutions, implement them, audit them and feel safe until the next round of conference talks aimed at raising awareness on the issues.
Getting back to the comment by Emmanuel Gadaix above however, its true that trust models need to exist between interconnecting operators, both on national and international legs, but going to my comment above on ISUP and SIP-I, what I have seen in my experience on the work I have done for operators is that unless there is going to be one vendor for all interconnects, and those interconnect points are all operating off the same hardware/software, then there will never be – any time soon at least – a secure and robust solution that can deal with ISUP and SIP-I security issues (as mentioned above). I reference the standards when I say this. Standards as you’re probably familiar with are something vendors don’t always implement the same way. They’re open to interpretation… I just don’t see a secure VoIP call happening any time soon.
My 2 cents.
Jamie Fisher
mobilenetworksecurity.com