Scribd
Upload
490 views14 pages

SS7

This document summarizes an assessment of interconnection security in the European Union. It finds that the risk level of attacks is medium to high, and that while basic protection measures are in place, attacks continue to evolve. Recommendations include ensuring comprehensive monitoring of signaling protocols, adopting firewalling, developing security standards for new mobile networks, and promoting cooperation between operator security teams. The assessment calls for further analysis of threats to identify developments and establish EU-level guidelines to improve protection, especially as 5G networks introduce new vulnerabilities.

Uploaded by

Hms Awan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
490 views14 pages

SS7

This document summarizes an assessment of interconnection security in the European Union. It finds that the risk level of attacks is medium to high, and that while basic protection measures are in place, attacks continue to evolve. Recommendations include ensuring comprehensive monitoring of signaling protocols, adopting firewalling, developing security standards for new mobile networks, and promoting cooperation between operator security teams. The assessment calls for further analysis of threats to identify developments and establish EU-level guidelines to improve protection, especially as 5G networks introduce new vulnerabilities.

Uploaded by

Hms Awan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Interconnection Security:

An EU level assessment
ENISA’s IR Team | Secure Infrastructures & Services Unit
24th Article 13a EG workshop | Vienna | 28.2.2018
European Union Agency for Network and Information Security
You can teach an old protocol new tricks

Many stakeholders are paying attention to this


• Hacking conferences (CCC, Hackito Ergo Sum,…)
• Media Coverage (Washington Post, CBS,…)
• Regulators (Nordic, FCC,…)
• Organizations (GSMA, ITU, ETSI,…)

Interconnection Security | ENISA IR Team –COD1 Unit 2


What can go wrong?

• Data session hijacking: Belgacom case


• Eavesdropping: CBS 60 minutes
• mTAN interception: O2
• One time password theft: Positive technologies
• SMS and one time password interception: IEEE 2017
• Subscriber Profile Extraction and Modification: NSS 2017
• 2018?

Interconnection Security | ENISA IR Team –COD1 Unit 3


Perceived risk from signalling

10%

51%
Medium 39%

High

Low

Interconnection Security | ENISA IR Team –COD1 Unit 4


Common types of attacks
90%
84.62%

80%

70%

60% 56.41%

48.72%
50%
41.03%
40%

30%

20%
12.82%
10% 5.13% 5.13%
2.56%
0%

SMS Spam Spoofing

Location Tracking Subscriber Fraud

Text Message Interception Subscriber or provider Denial of Service

Routing attacks Call Interception

Interconnection Security | ENISA IR Team –COD1 Unit 5


How often?

7.69%
12.82%

17.95%

less than 10
61.54%
10 to 100

more than 100

Interconnection Security | ENISA IR Team –COD1 Unit 6


How we protect ourselves?
100%

90% 87.18%

80%
71.79%
70%

60%

50%

40%
33.33%

30% 28.21%
25.64%
20.51%
20%
12.82%

10%

0%

Implement SMS Home Routing Filtering on transit and end nodes


Active Testing / Auditing Implement Signalling Firewall
Other Avoidance of Optimal Call Routing
Implement Advanced Analytics

Interconnection Security | ENISA IR Team –COD1 Unit 7


Guidelines on signalling security
90.00%

80.00% 76.92%

70.00% 66.67%

60.00%
53.85% 53.85% 53.85%

50.00%

40.00% 35.90%
30.77%
30.00%
20.51%
20.00%

10.00%

0.00%

GSMA FS.11: SS7 Monitoring


GSMA FS.07: SS7 filtering
GSMA FS.19: Diameter interconnect security
GSMA IR.82: Security SS7 implementation on SS7 network guidelines
GSMA IR.88: LTE roaming guidelines
GSMA IR.77: Inter-Operator IP Backbone Security Requirements
GSMA IR.67: DNS and ENUM guidelines for Service Providers & GRX and IPX Providers
3GPP TS 33.117, TS 33.116 or TS 33.250: Security Assurance on critical nodes

Interconnection Security | ENISA IR Team –COD1 Unit 8


5G security concerns
80.00%

71.79%
70.00%

61.54%
60.00%

50.00%

40.00% 35.90%

30.00% 28.21%

20.00%

10.00%

0.00%

The same vulnerabilities could still be present

IoT and M2M roaming would open new Diameter interfaces for interconnect

Slicing may cause interconnect to be completely redesigned

End-to-end Diameter security would break wire-compability with existing interconnect

Interconnection Security | ENISA IR Team –COD1 Unit 9


Conclusions

• Level of risk: Medium to high!


• Proper attention needed by all stakeholders
• Diameter inherited the risk
• Basic measures are in place but they are basic!
• Attacks are evolving
• 5G: A brand new threat playground?

Interconnection Security | ENISA IR Team –COD1 Unit 10


High level recommendations
EU Commission ENISA – Article13a EG
• 5G PPP (security) • Further analysis of the situation to
• Baseline security measures for identify further developments
interconnections • EU high-level guidelines to assure
• Funding to improve protection advanced protection at MS level
• Increase international cooperation
NRAs Industry
• Regularly analyze national • Operators: adopt measures to
situation and be aware of new ensure adequate level of security
developments • Standardisation bodies: Ensure
• Develop national security is properly addressed on
guidelines/minimum security the new 5G standard to avoid
measures current threats

Interconnection Security | ENISA IR Team –COD1 Unit 11


Technical recommendations

• Ensure global and exhaustive monitoring of SS7 / Diameter /


GTP
• Operators should be capable to protect against basic attacks
• Operators should adopt SS7 / Diameter firewalling
• Development of specifications and standards for new mobile
signaling elements
• Promote communication between operators’ CERTs/SOCs at
EU level

Interconnection Security | ENISA IR Team –COD1 Unit 12


Good practices

Advanced
- Redirect to captive environment
- Detect prequels to attacks
- Detect advanced attacks
- Deeply screen signalling messages

Intermediate
- Regularly perform external network security assessments
- Ensure liability and legality of responses to malicious traffic
- Analyse Interconnect messaging
- Advice carriers to adopt security options in their interconnect offers

Core measures
- Monitor all interconnect traffic
- Monitor core network elements
- Monitor outgoing traffic

Interconnection Security | ENISA IR Team –COD1 Unit 13


Thank you
PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

[email protected]

www.enisa.europa.eu

You might also like