- Jan 9, 2020
The decades-old SS7 signaling system is one of numerous protocols exposing 5G networks to abuse.
BLACK HAT ASIA: Researchers have demonstrated how attackers can take advantage of a decades-old protocol to exploit 5G networks.
The next-generation wireless technology is expected to account for 21% of all wireless infrastructure investments over 2020. Pilots and official rollouts are underway worldwide -- despite the disruption caused by COVID-19 -- and many vendors now offer 5G-supporting devices in preparation for transitions from 4G to 5G.
While investment is pouring into 5G from all areas, security appears to be an afterthought, as fragmented and bolted-on telecoms technologies, protocols, and standards leave gaping holes for cyberattackers to exploit.
During a presentation at Black Hat Asia on Friday called "Back to the Future. Cross-Protocol Attacks in the Era of 5G," Positive Technologies security expert Sergey Puzankov highlighted how outstanding issues in the SS7 protocol still plague the telecommunications industry.
The Signaling System 7 (SS7) industry standard and set of protocols were developed in 1975 and hasn't moved on much from this decade -- and this includes its security posture. In 2014, the cybersecurity firm revealed exploitable security flaws in the protocol which could be used to conduct attacks ranging from intercepting phone calls to bypassing two-factor authentication (2FA).
Diameter and GTP are also commonly used in the telecoms industry for 3GPP, GSM, UMTS, and LTE networks. Mobile networks will often connect these protocols to provide a seamless experience for consumers when they shift between 3G, 4G, and 5G.
"This mishmash of technologies, protocols, and standards in telecom has implications for security," Puzankov says. "Intruders are attacking mobile networks from all possible angles, in part by leveraging multiple protocols in combined attacks."
Vendors are aware of these problems and have implemented various security measures to try and protect their networks, including signaling firewalls, frequent security assessments and audits, as well as implementing signaling IDS and SMS home routing. However, this doesn't always go far enough.
In a set of scenarios explained by the researcher during the presentation, Puzankov outlined how cross-protocol attack vectors could be used to manipulate data streams on 4G and 5G networks; intercept SMS and voice calls on 2G, 3G, and 4G, and potentially commit widespread financial fraud by signing up subscribers to value-added services (VAS) without their consent -- all from a signaling connection.
Each case has one thing in common: attacks begin with malicious action in one protocol that are continued in another, requiring specific combinations of actions and mixed-generation networks to succeed. Architecture flaws, misconfiguration, and software bugs exist that provide entryways for potential attacks.
In the first scenario, when firewalls are not in place, voice call interception was found to be possible via Man-in-the-Middle (MiTM) attacks. For example, threat actors could spoof billing websites, make contact with a subscriber, and then lure them to input their account details into the fraudulent domain. By jumping from SS7 to Diameter, it may also be possible to circumvent existing security barriers.
The second case outlined by Puzankov involves voice call interception on 4G and 5G networks by tampering with network packets. When a user is on a 4G or 5G network, signals are constantly sent in what the researcher calls an "always connected" mode, and if a threat actor jumps from Diameter to other protocols, they may be able to intercept subscriber profiles and data. If a victim is roaming, location requests can also be sent by attackers.
Finally, subscription fraud can be achieved by sending "random" requests to subscribers via the SS7 / GTP protocols. By exploiting security issues, attackers may be able to assign victims unwanted subscriptions generated via stolen subscriber profile data.
All of these attack vectors have been tested in real-world scenarios and reported to relevant industry bodies.
"It is still possible for attacks to take place on well-protected networks," the researcher commented. "In most cases, operators can protect their networks better without [additional] cost. They just need to check if their security tools are effective when new vulnerabilities are reported."