The SS7 protocol, now half a century old, has well-known and widely documented security vulnerabilities. The good news is that many mobile operators, arguably the majority, have acted. The bad news is that a significant number have yet to implement effective security countermeasures, so significant opportunities remain for attackers to continue to exploit the same old vulnerabilities.
That means that these attackers are sending hostile or malicious SS7 signalling traffic toward many operators and subscribers who can’t defend themselves (yet!). To do so, these attackers must use valid identifiers or addresses, such as sender addresses, on the SS7 global network. These addresses are like special “phone numbers” called Global Titles (“GTs”). These GTs cannot be made up; they must belong to recognised and established operators that will end up being accepted and relied upon by other operators for traffic routing purposes. Many of these GTs are leased from operators who “lend” or lease their addresses to other third parties to send their traffic, legitimate or not.
The GSMA’s Global Title (“GT”) Leasing Code of Conduct (“CoC”) is a significant step to clamp down upon the problem. The CoC rightly recognises that GT leasing is the single most significant enabler of SS7 attacks. Although the lessees that launch the attacks are the source of the problem, the operators that lease their GTs without due diligence, transparency or traffic oversight and the transit carriers that route the traffic make the attacks possible.
Avoiding the transparency problems
The CoC does not prevent signatories from continuing to deploy legitimate, secure and high-quality communications services, but it does define how GTs can and cannot be used, in order to avoid the transparency problems that GT leasing can cause.
Securing the signalling ecosystem
Security companies such as P1 Security, and its competitors, play a vital role in securing the signalling ecosystem. We advise our customers, audit their networks, validate their firewalls (and occasionally try to break them too – with permission of course) and scan the world trying to identify the latest zero-day vulnerabilities. This is all part of a healthy, competitive security ecosystem. We love our work, and we love helping our customers. We are in a unique position to evaluate the state of protection deployed in the industry and whilst we see good progress, there is plenty left to do. Some of these audits can’t be executed on test platforms and need to audit the real, live networks, hence the need for P1 Security to send traffic on the SS7 global network.
GT leasing has attracted a lot of attention in recent years from journalists, politicians, civil rights organisations and now, increasingly, national cyber security agencies and telecommunications regulators. The impact of bad actors exploiting signalling vulnerabilities is now well understood and the industry has acted.
I very much welcome the CoC but also recognise that, for it to be a success, many more operators need to sign up to it. Whilst the current lack of signatories to the CoC is disappointing, there are many positives to take from the CoC. The single most significant outcome is that, finally, we have a set of standards to dictate reasonable behaviour – no longer can the industry feign ignorance.
Let’s raise the bar further
I would like to see the security sector raise the bar even further. Whilst GT leasing has been the gateway to some of the most pernicious signalling attacks, somewhat ironically, it has also been the point of entry for some security companies too. Unlike P1 Security, we believe other security companies have used leased GTs to enable their valuable audit work. Too often those GTs are leased from the same GT lessors that also lease GTs to bad actors. In fact, the number ranges used may be almost the same and, even worse, they could even be recycled between bad actors and security companies to muddy the waters.
As a French-based company, P1 Security has been blessed to have the support of the French telecommunication regulator, ARCEP. We approached ARCEP in 2017 and asked to be registered as a licensed operator so that we could be assigned a GT. We were able to convince ARCEP that the benefits of this – us being able to launch tests to validate the protection of networks globally – outweighed the small cost of us being registered as a mobile operator, albeit one that didn’t supply services to consumers. This led to a change of policy from ARCEP that enabled identifiers such as MNC MCC to be assigned to security companies, thanks to their visionary and reactive collaboration. Our main focus was to be assigned “clean” numbering resources for which only we could be held accountable and responsible. We wanted a clear demarcation between our legitimate penetration testing activities and those of potential lessors.
We were fortunate that ARCEP was convinced of the benefits of this approach and in 2023 ARCEP assigned to us a Mobile Country Code and Mobile Network Code, meaning that we could test protocols which use MNCs and MCCs as signalling identifiers (such as Diameter) in a similar manner to SS7. It is this support that means we are able to use our own network resources to conduct penetration testing, unlike other players in this sector.
So, my message to the industry, particularly penetration testers and regulators, is that it is time to move on from the use of leased GTs. To make that happen, we need other regulators to step up and endorse that approach by providing the necessary resources to bona fide security companies. The same equally applies to the provision of mobile country codes and network codes – these are required for Diameter testing – and these, too, are provided by telecommunication regulators. Together, we can raise the levels of defence against bad actors and eliminate poor behaviour in our industry.