I didn’t attend the conference in Amsterdam. I was presenting at a few other conferences related to telecommunication and communication security instead.

There is something I feel that might be left out of this conversation at the very least.

ISUP is IMHO the most ‘hackable’ part of the SS7 protocol. Its the ISDN User Part - the chunk of the protocol that sets up call parameters. For instance, when looking at ISUP in my recent presentation on NGN security, covering off VoIP (because its a fairly straight forward port from SS7 to VoIP in terms of the protocol) I referenced the ease of ability in altering A and B end numbers, showing the conference audience exactly how to do it and then how to protect against it.

In so far as the standard is concerned, SIP-I has no ‘built-in’ authentication. So, spoofing A end and B end is straight forward, if you know how. Something else I touched on was SSBoundary. I mentioned it was jut like a Mime MultiPart that you see in email.

Again, because there was little designed around the security of the SSBoundary, its possible to do creative things like; open a new SSBoundary and insert malicious code, make another call, or really anything the ‘hacker’ wants…

Vendors are coming up with Biometric phones, user to phone authentication, VPNs, encryption and all these security controls, along with fraud management vendors claiming they can do ‘effective fraud management’ on VoIP. I don’t doubt that one day, perhaps some day soon, vendors might come up with robust fraud and security solutions but until then the CISSP idiots of the world are all going to buy their solutions, implement them, audit them and feel safe until the next round of conference talks aimed at raising awareness on the issues.

Getting back to the comment by Emmanuel Gadaix above however, its true that trust models need to exist between interconnecting operators, both on national and international legs, but going to my comment above on ISUP and SIP-I, what I have seen in my experience on the work I have done for operators is that unless there is going to be one vendor for all interconnects, and those interconnect points are all operating off the same hardware/software, then there will never be - any time soon at least - a secure and robust solution that can deal with ISUP and SIP-I security issues (as mentioned above). I reference the standards when I say this. Standards as you’re probably familiar with are something vendors don’t always implement the same way. They’re open to interpretation… I just don’t see a secure VoIP call happening any time soon.

My 2 cents.

Jamie Fisher
mobilenetworksecurity.com

Shared view with Martyn Davies about SS7 Security. He basically summed up very nicely my introduction to SCTPscan & SIGTRAN security….

Emmanuel, thanks also for your comments. I take your point about global title, and reading back on my piece I realise that they way I worded it “…work to defeat…” implies more certainty of security than I actually meant to convey. I only meant to say that it could help in terms of security, not that it would “kill all Sigtran hacks”.

Best regards,
Philippe.

Martyn your statement about GTT is only partially accurate. Global Title can and will be used to facilitate some forms of SS7 attacks. The main problem and you point that out will be the trust model between operators - something that makes rlogin looks like a high-security protocol.

It’s just that they (the hackers) are still having too much fun with
things like XSS, buffer overflows and phishing attacks….

Just wait until they get bored……..