As a key part of the national critical infrastructure, and the ever-expanding telecom market, Forward Defense has worked hard to protect not only the cyber security of an operator, but also they fundamentals that form the backbone of the operator.

SS7 / Diameter Security audits | Forward Defense - The trusted IT security advisors

A SS7 penetration test, or SS7 security audit, is very similar in concept to a PCI compliance test. Through our partnership with multiple mobile operators, we have access to worldwide SS7 connectivity. We will fire various SS7 messages at you from various external sources (trying when possible to test across your multiple SCCP providers, just in case one of them has implemented a cloud-based SS7 firewall solution).

Sources of the messages will not be disclosed to you in advance, in order to maintain the independence of the test. Messages will replicate dozens of different types of attacks that are known to us, but will only be directed at specific single-purpose test subscriptions on your network, in order not to disrupt or breach privacy of any real subscriber.

We will not perform any network-wide DOS testing, for obvious reasons, unless you have a lab setup against which we can run these more involved tests.

Typically, no direct SS7 connection needs to be established with your network in order to conduct an audit, which keeps audits relatively inexpensive and quick, when compared to the cost and implementation time of a full-blown on-premises firewall solution.

After the test has been concluded, we will provide you with a report of the those vulnerabilities that have been detected on your network, and we will provide directions as to how they can be eliminated. At your option, we can interact with your mobile node vendors in order to facilitate the production and deployment of patches to address the various issues, and perform a rescan at a later time, to confirm that the vulnerabilities have been eliminated.

Has your network been attacked or hacked via SS7? Or perhaps an attack is ongoing?

We can help with a forensic analysis of SS7 traces (or setup traps, probes, decoys or honeypots to capture information on ongoing attacks and mislead attackers) to determine the target of the attack, the goal, and possibly shed some information on the origin of the attack by using techniques involving correlation, OSINT or fingerprinting of the sending node. More importantly, we can help fast! Possibly today.

We will also recommend ways in which to prevent these attacks going forward, and look for other SS7 vulnerabilities on your network that need to be closed down by running an external SS7 penetration test.

Please contact us using the form below and we will discuss the best course of action for your problem, which may include remote or onsite resources.

Diameter is an authentication, authorization, and accounting protocol for computer networks.

Forward Defense provides its clients with regular SS7 intelligence reports, providing mobile operators and regulators valuable information about the SS7-based threat landscape and the bad actors that are attacking subscribers through the worldwide SS7 network.

While recent years have seen a lot of attention from telecom regulators on the subject of SS7-based vulnerabilities, and some mobile operators have begun securing their networks, the vast majority of worldwide mobile networks remain vulnerable to SS7-based attacks against their subscribers. Using the SS7 network, an attacker can accurately geo-locate mobile phone, intercept text messages, record phone conversations and much more on unprotected mobile networks.

Through a strategic partnership with The Telecom Defense Limited Company in USA, Forward Defense offers an SS7 intelligence report, updated monthly and sold via annual subscription, that provides a mobile operator or regulator with valuable information regarding the identity of currently active attackers on the SS7 network, new attackers, volumes of attacks and trends, origins, types and signatures of attacks.

The reports are produced using anonymized SS7 metadata provided by various partner mobile operators around the world, which creates a representative and realistic picture of the worldwide threat landscape and its trends month after month.

The monthly report contains:

• Current list of GTs originating malicious SS7 traffic;
• Correlation between attacking GTs and patterns;
• Types of attacks per GT;
• Activity patterns;
• OSINT information on the originating networks to help determine possible attribution;
• Volume of activity and trends;
• Contact us now for more information.

For a basic understanding of what Diameter is, you may want to start here.

We are currently concluding the R&D on our Diameter penetration testing methodology and Diameter network audits, and will be offering off-premises Diameter penetration testing shortly.

For an over of CDMA is, you may want to start here. Code division multiple access (CDMA) is a channel access method used by various radio communication technologies.

Vulnerabilities for CDMA operators are very similar than those found on GSMA networks. CDMA signaling also use SS7, just a different flavor of it. Our CDMA penetration test is currently in R&D and we are looking for CDMA networks interested in this subject to serve as initial test targets.

If you are a CDMA network concerned about security vulnerabilities over the signaling interface, please contact us using the form below.

Telco-cyber-securityTelco Cyber Security Training | We provide trainings / courses that covers various aspects of telecom network security and fraud, for your engineering, fraud prevention and billing teams. The course contains many real life examples of security breaches and fraud cases in both fixed and mobile networks, as well as a complete training on SS7 based vulnerabilities, and can be eye opening for upper management as well.

We also provide training to country regulators who wish to learn about security issues that may affect mobile operators in their countries, such as SS7 vulnerabilities. The training can be tailored to your audience in content and length, from one to five days, and will be conducted onsite anywhere in the world.

Optionally, an SS7 penetration test of your network can be conducted live during the training session, and the results discussed immediately with the audience. This is particularly effective if the engineers responsible for your SS7 connectivity and various network nodes are part of the audience.

If you would like to discuss Telco Cyber Defense for your organization, please contact us using the form below.

While it is common for an operator to perform a single SS7 vulnerability assessment, Forward Defense promotes constant monitoring through the Sigscan solution, giving the operator a renewed sense of security rather than a single instance.

Amplification attacks, exhaustion of MSRN pools, TCAP traffic injection, replay attacks.

Man-in-the-middle attacks, redirection or interception of incoming calls or SMS.

Disclosure of subscriber IMSI and Location, hijacking of authentication vectors.

Deny incoming and outgoing calls or SMS.

Billing Bypass, illegitimate charge, network element impersonationd and address fakeing.

Learn more about security threats, attack examples, bypass techiques, GPRS Tunneling, IT domain attacks. Contact us to download our .PDF SigScan Presentations and Resources.