For years SS7 security has been in the focus of security researchers and the media. The threat of hackers using SS7 flaws to steal money from bank accounts by intercepting text messages that contain one-time passwords has moved from fantasy to fact. Mobile operators are aware of the problem and we see they do a lot to protect their networks. Operators implement SMS Home Routing systems, SS7 firewalls, introduce security monitoring and configure existing equipment in security compliance.
However, recent research demonstrates a malefactor could get access to the signaling networks from other vectors such as internet and mobile radio part. The era of 5G technology is coming, but there are billions of subscribers who still use 2G and 3G networks that rely on SS7 signaling.
The GSMA FASG (Fraud and Security Group) has issued a set of documents describing how to withstand SS7 threats. Vendors of signaling protection tools rely on these documents when they develop their solutions. However, not all of them pay attention to the SS7 feature that makes it possible to encapsulate multiple components inside of one signaling message. In this talk, I will explain how a malefactor is able to bypass any kind of signaling protection tool using this feature and successfully perform attacks in the real world.