SS7 Introduction

As 5G still needs to support user roaming in the third world’s 2G/3G traditional networks in future operations, the Signaling System Number 7 (SS7) attack may spread to 5G networks too. SS7 is the main signaling system when the 5G core network is interconnected with the traditional network. It achieves the interconnection of telecommunications services between various operators and is widely deployed among international mobile phone operators. In addition, the operator also connects each core network unit through SS7 to implement services such as billing, mobility management, and SMS. One of the key application layer protocols of SS7 is the Message Application Protocol (MAP), which is mainly used for communication between different units in the core network such as Mobile Switching Center (MSC), Home Location Register (HLR), Visitor Location Register (VLR), etc. Since the SS7 protocol is based on the Internet path between telecom operators as a private and trusted network, the formulation of its security mechanism is almost ignored. In recent years, vulnerability in the SS7 have been discovered one after another, and have been used for increasingly rampant telecom fraud.

O'Prueba Technology Inc. conducts in-depth research and analysis on the possible attacks caused by SS7. GSMA has compiled the currently known attack catetory and related attack methods in the standard document FS.07. O'Prueba Technology Inc. implemented SS7 based on relevant documents. The resulting attack methods are turned into detection tools and services to alert the real existence of related attacks and improve protection awareness.

攻擊分類 攻擊手法
位置追蹤 Any Time Interrogation (ATI)
Send Routing Info (SRI)
Send Routing Info for Location Services (SRIforLCS)
Provider Subscriber Location (PSL)
Send Routing Info for GPRS (SRIforGPRS)
Send Routing Info for SMS (SRIforSMS)
Provide Subscriber Info (PSI)
中斷服務 Purge MS
Update Location (UL)
Cancel Location (CL)
Insert Subscriber Data (ISD)
Delete Subscriber Data (DSD)
Immediate Service Termination Command (ISTCommand)
Any Time Modification (ATM)
Provide Roaming Number (PRN)
詐欺 Insert Subscriber Data
Process Unstructured SS Request
Any Time Modification
Note Subscriber Data Modified
Delete Subscriber Data