I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.Â Philippe Langlois will talk about SCTPscan – Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:
â€œSCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.â€
SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the worldâ€™s cellcos and telcos.Â In traditional SS7, all the links are achieved with T1 or E1 pipes, and thereâ€™s no opportunity to get access to this signalling backbone.Â
However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.Â SCTP is a protocol that is used instead of TCP or UDP for this purpose.Â So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.
Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.Â This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will â€œbehave nicelyâ€.
In the Internet world, of course, there is no guarantee of â€œnicenessâ€, and SIGTRAN links need to be locked down with tools like firewalls.Â In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.Â You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.
However, SS7 has some advantages on its side in this war.Â Firstly, it is a complex set of protocols, and most hackers will not have any â€œhands-onâ€ experience that will help them find weaknesses in the network.Â Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each othersâ€™ services without needing to know the internalÂ construction of the network.Â This will work to defeat outsiders from understanding how a network is put together.
Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake.Â We can be sure in the Internet that anything that can be hacked, someone will try to hack it.Â Â