Skip to main content

Could SS7 be the Achilles' heel for 5G?

(Image credit: Dmitry Kurbatov)

The spotlight is firmly on 5G technology - between the new rollouts and the ongoing tug and war about Huawei’s involvement in the UK - and that’s despite GSMA reporting that the number of 4G and 5G users are only now beginning to surpass that of 2G and 3G users. And with the ongoing debates and discussions circulating around broader 5G security, the industry is at risk of forgetting about a silent threat which lurks in the 2G & 3G network, which the majority of Brits still use: SS7.

The SS7 (Signaling System No. 7) protocols governing the exchange of signalling messages. Although it is decades old, it is still actively used in 2G and 3G networks today. The flaws within the protocol are nothing new but the problems have continued to fester and get worse in recent years. Not only this, but even LTE-only networks using the Diameter protocol instead of SS7 interconnect with previous-generation networks. This means that even 4G networks which use diameter are vulnerable to some attacks via SS7 networks. 

Operators have become so focused by 5G, that they  are taking less action on the 2G & 3G network - a blindspot they cannot afford to have, given the potential threats it presents to both the network & its subscribers. The gaps in the network mean hackers can track a customer's every move, listen in on calls and even strip them of service.

SS7 research

"It’s not just 2G & 3G networks at risk, the reality is that the newer networks such as 4G & 5G are also built using previous generation networks infrastructure."

Dmitry Kurbatov.

Our researchers have discovered that in the last three years, the percentage of vulnerable networks has increased in nearly all threat categories such as information disclosure, location disclosure, interception of calls, fraud and subscriber DoS. In particular, our experts have managed to intercept voice calls on all tested 3G networks, and have successfully intercepted SMS messages on 94 per cent of tested networks. 

Although there are talks amongst mobile operators to retire and shut down their 2G & 3G networks, many won’t be shutting down till the next couple of years. Vodafone was the first UK provider to confirm that it will be “switching off 3G” services within the “next two to three years”, with predictions that other network such as EE, O2 and Three UK will eventually follow in the same directions as they shift to 4G or 5G. GSMA also reports that these previous generation networks will still be available to the public over the next 5 years. There is no reason to expect any significant decrease in the number of 3G users until at least 2025; but even then, SS7 will continue to be a significant player, since 2G and 3G users are projected to still account for a quarter of all network subscribers (not counting IoT devices). 

It’s not just 2G & 3G networks at risk, the reality is that the newer networks such as 4G & 5G are also built using previous generation networks infrastructure, meaning they are also burdened with the same SS7 security issues. This means that SS7 won’t be a thing of the past anytime soon. While newer protocols do exist, security is only as strong as the weakest link. What is also worrying is that it can be accessed by both legitimate operators and by illegitimate attackers.  

Stay protected

In order to stay protected operators need to adhere to GSMA security recommendations. What’s shocking is that according to ENISA, only 30 percent of EU telecom operators have implemented these recommendations. 

That is not to say they are not taking the problem seriously. However, the existing security tools they are also using are not enough because SS7 is prone to vulnerabilities which are also caused by the incorrect setup of equipment. In almost half of the networks we studied, configuration errors in equipment at network boundaries allowed illegitimate requests to bypass SMS Home Routing. To add further fuel to the fire, even properly configured traffic filtering and blocking systems cannot block all types or threats because of the inherent SS7 architecture flaws. 

In our analysis of SS7 vulnerabilities last year, we noted gradual security improvements in SS7 networks. Unfortunately, this positive trend has come to a halt. This is because security measures are being taken sporadically, without a comprehensive understanding of the problems that are crippling their networks including information disclosure, interception of SMS messages and calls, and subscriber DoS. Without a systemic approach informed by intelligence and real-time monitoring of the underlying threats, there will be gaps in security that can be exploited by attackers.

Full visibility

Operators need to have full visibility of their mobile network security by regular security assessment of signalling networks to identify existing vulnerabilities and develop measures to mitigate the impact of these threats. They will then be able to make informed decisions to implement effective security measures.

SS7 vulnerabilities allow for all kinds of attacks, and the fact that large numbers of users still using 2G and 3G network users mean that SS7 will remain a relevant part of the telecom ecosystem for years to come. This is even more definite considering that some 4G features are also still dependent on 2G/3G systems, including sending SMS messages and making calls.Operators need to make sure they learn from lessons of the past to avoid making the same mistakes with 4G & 5G.

Dmitry Kurbatov holds a degree in information security of telecommunications systems from Moscow Technological University (MIREA). He worked as a network engineer for system integrators from 2006 and joined Joined Positive Technologies in 2010.  After developing an automated security analysis system, he switched to telecom security, researching a range of vulnerabilities in network equipment, including errors in data transfer network design, protection of signalling protocols (SS7, Diameter, GTP), through to IoT security. Since 2014, he has been Director of Telecom Security at Positive Technologies.