Computaris: dialling into the ugly truth on SS7

Telecommunications is rife for hacking, or at least that’s what people say.

The problem is, many of our telco-level communications protocols, systems, subsystems and substrates have been around a long time — and that’s what makes them vulnerable.

Razvan Rusu, Computaris presales manager says that, as of now, a massive security flaw exists in the way all mobile networks operate and communicate with each other.

As firm, Computaris specialises in system integration, BSS technical consultancy and software development for software vendors and communication services providers (CSPs) — basically, this is stuff like mobile broadband data policy management and provisioning etc.

Computaris says that there is an ugly truth at the heart of mobile networks and its not confined to a small, unused part of the network — it’s down to SS7.

According to, “On the public switched telephone network (PSTN), Signaling System 7 (SS7) is a system that puts the information required to set up and manage telephone calls in a separate network rather than within the same network that the telephone call is made on.”

Basically it is a set of telephony signal protocols that handles almost every function in a mobile network, including voice calls and text messages.

The problem is (says Rusu) that SS7 was developed over 30 years ago without including any security mechanisms.

At the time of its design, SS7 network was considered a trusted network offering as it was designed with the possibility for a Network Element to pretend to be and to respond on behalf of any other Network Element.

The problem is (says Rusu), these design features are actually the flaws that can be exploited by hackers. The suggestion here is that SS7 was conceived at a time before hacking was even called hacking.

1 computrariefwe234r.png

Rusu writes as follows:

“To make matters worse, because of roaming agreements, SS7 messages flow freely between mobile operators. This means that an on-net call (calling and called part from the same network) that should never leave that mobile operator can be controlled by or redirected to any other mobile network operator. This allows hackers to target a mobile subscriber from anywhere in the world.”

“Hackers use messages normally exchanged between mobile operators, which make SS7 attacks very difficult to detect. By sending seemingly normal requests they can obtain the International Mobile Subscriber Identity (IMSI), a unique number associated to every SIM card. Using the IMSI, the hackers can target their attack on a single mobile phone, sending only a couple of SS7 messages per targeted IMSI.”

“Every mobile network is potentially at risk and consequently, every mobile user is as well. Mobile operators can secure the access to their own core network but do not have control over what happens with other mobile operators. The challenge for mobile operators is to block attacks while allowing normal messages exchange between operators.”

“The current equipment used for routing SS7 (STP) are not capable of detecting and blocking these types of attacks. A solution is not easy, but nonetheless, it exists. First, mobile operators can hide the subscriber’s real IMSI and MSC/VLR address. By home routing SMS messages, the real IMSI can be hidden while the SMS messages are still delivered. Hiding the IMSIs is a great step towards network security, since all the attacks need the subscriber’s real IMSI. However, this first step is not enough, as hackers may already know the IMSIs of their targets from previous attacks. The IMSI is linked to the SIM card, so it changes very rarely. In addition to hiding the real IMSIs, mobile operators could enhance their STPs routing features. Messages received from other mobile operators can be sent to an external application that can decide, based on the data carried in that message, if the request is a genuine request or an attack.”