Ss7 vulnerabilities and attack exposure
Yüklə 5,08 Mb. Pdf görüntüsü
|
| +
UpdateLocation + RegisterSS + InsertSubscriberData + PurgeMS All attempts resulted in a denial of service for subscribers, except us- ing InsertSubscriberData, which allowed 83 percent of successful attacks� AnyTimeModification can be used for this purpose as well; however, the security settings of all analyzed networks blocked these requests� Apart from the inability to make voice calls and send and receive SMS messages, an attack via InsertSubscriberData can cause internet access denial� Although such disruption of network functioning is targeted and affects an individ- ual subscriber, an attacker can cause a massive service denial if he or she has access to an IMSI database or is able to bruteforce IMSIs� A denial of service can be critical for IoT devices� IoT is spreading rapidly, connecting billions of devices that require access to telecommunications networks� The disrup- tion of smart home or surveillance systems, or devices that track car location, or the shutdown of industrial processes can lead to a significant subscriber churn� The research revealed that the average subscriber down-time after a DoS attack is more than three hours� In some cases, a subscriber's profile in a database is changed after that and the equipment cannot restore the profile even when the subscriber reboots the device� This happened after DoS attacks via the PurgeMS and InsertSubscriberData methods� If the VLR address where the subscriber is currently registered is removed from the HLR via PurgeMS initiated by a certain third-party host, terminating calls cannot be routed to the subscriber's VLR/MSC, because there is no registration address in the HLR� In this case, originating calls are available for the subscriber, because the registration record in the VLR is not changed� Rebooting the device does not help to restore the record in the HLR, because the VLR does not initiate the UpdateLocation procedure, assuming that there are no changes in the subscriber's registration data� It is possible to restore the registration record and therefore the subscriber's availa- bility only by registering in the coverage area of another serving MSC (for example, by first manually selecting the network of another operator, and then selecting the home network again)� Another method is to move to another MSC of the home network� Protection measures and their efficiency Detected vulnerabilities are caused by incorrect configuration of network equip- ment or protection tools, as well as by fundamental SS7 vulnerabilities� In the for- mer case, changing equipment configuration will solve the problem� However, ar- chitecture flaws can be mitigated only by monitoring and filtering signaling traffic� To ensure analysis and blocking of incoming messages without network disruption, additional equipment is required� Let us look at some protection methods applied in analyzed networks, and assess their efficiency� SMS Home Routing was enabled in almost every network� In 2016, operators start- ed to implement signaling traffic blocking and filtering systems� In 2017 these sys- tems were present in every third network� All networks are exposed to a subscriber denial of service Yüklə 5,08 Mb. Dostları ilə paylaş:
|