Dans le cadre d’une plateforme d’\u00e9change, j’ai publi\u00e9 un article tr\u00e8s simple d’introduction des vuln\u00e9rabilit\u00e9s SS7 des r\u00e9seaux d’interconnections mobiles. Voici l’article et le lien vers l’\u00e9change complet.<\/p>\n
<\/p>\n
SS7\u00a0or Signaling System No. 7 is a networking\/interconnect set of\u00a0protocols\u00a0and interconnection definitions developed in the 1970s, which is still widely used to set up and connect most of\u00a0Telephone\u00a0Networks.<\/p>\n
It was supposed to be used internally, in a form of \u201cwalled garden\u201d network. and that was sufficient at the time to consider it as “secure” among telco players.<\/p>\n
At design, the high cost of SS7\u00a0hardware\u00a0(and software), was the only barrier preventing third\u00a0parties\u00a0from penetrating such\u00a0networks\u00a0and using it in a\u00a0malicious\u00a0and harmful way.<\/p>\n
During the past decades, the telco landscape changed drastically, mainly driven by: The All-IP transition, the\u00a0evolution\u00a0of data and the very, very, very competitive market of\u00a0telecom\u00a0suppliers.<\/p>\n
The hardware barrier was removed thanks to the wide adoption of SIGTRAN (SS7 over IP) in order to interconnect networks over IP. Then\u00a0documentation, and the work of many\u00a0security researcher\u00a0lead to the exposition of the many built-in flaws of this protocol.<\/p>\n
A very large set of\u00a0Attacks\u00a0can be launched and are mainly targeting :<\/p>\n
Those, very critical attacks can go from calls\u00a0interception,\u00a0SMS\u00a0interception \u2026 to a complete\u00a0DDOS\u00a0of\u00a0network\u00a0infrastructures and a complete loss of service.<\/p>\n
The\u00a0GSMA\u00a0addressed those\u00a0threats\u00a0in a series of reference\u00a0documents\u00a0dealing with the how-to detect, mitigate, and assess those\u00a0risks\u00a0:<\/p>\n
Mainly, measures should cover different layers of the SS7\/SIGTRAN stack. But taken in consideration that policing in MTP, SCCP, MAP layers are mandatory, many architectural considerations are to be taken in order to have effective measures.<\/p>\n
Those will be maybe detailed in a next post.<\/p>\n
Thank you.<\/p>\n