FCC Releases Public Notice Encouraging the Implementation of SS7 Best Practices/Hurricane Harvey Scams

Last week, the Federal Communications Commission (FCC) released a public notice encouraging the implementation of the Communications Security, Reliability, and Interoperability Council (CSRIC) best practices for securing Signaling System 7 (SS7).

The U.S. commercial communications infrastructure relies heavily on SS7. SS7 enables mobile and fixed networks to connect, helps mobile and fixed service providers process and route calls and texts between networks, and provide call session information. In recent years, multiple reports have come up stating the vulnerabilities in SS7 networks. The reports call attention to vulnerabilities that allow attackers to eavesdrop on subscribers, steal their personal information, and conduct denial of service attacks.

Suggested Best Practices

In March 2017, CSRIC adopted recommendations for best practices meant to strengthen the security posture of SS7. The recommendations consist of the following:

  • Signaling Security Monitoring: It is important to monitor network interconnections because communications service providers have “peer” relationships with each other.
  • SS7 On-Premise Firewall: Can be used to filter all incoming, outgoing and domestic traffic. More information and a list of vendors can be found here. Also, the GSMA FS.11 document will provide instructions on the configuration and clarify the functionality of a properly working SS7 firewall.  
  • Harden Network Nodes: The 3rd Generation Partnership Project (3GPP) released security requirements specifications to reduce the attack surface by addressing areas like system integrity, service availability, data security and access, and core network protections. Some of these specifications include:
    • TS 33.117, General Security Requirements
    • TS 33.116, Security Assurance Specification for MME
    • TS 33.250, Security Assurance Specification for PGW
  • Signaling Aggregators: These allow for more robust monitoring and traffic filtering because it can see network traffic coming from international and domestic entities and allows for a response to suspicious activity.
  • Information Sharing: The telecommunications industry should continue sharing threat information regarding SS7 security risks with the DHS National Coordinating Center for Communications (NCC), Communications Information Sharing and Analysis Center (ISAC), and collaborating with law enforcement.
  • Circles of Trust: The concept of Circles of Trust involves growing trust between telecommunications providers in order to securely pass traffic between networks.
  • Periodic Security Assessments: Periodic security assessments can help identify risks and provide needed security controls.
  • Subscriber Encryption Support: Consumers need to be educated about the risk that SS7 could be used to eavesdrop or globally track, as well as how they can protect themselves. For voice calls, there are some well-known end-to-end encryption services such as:

More information regarding SS7 security best practices can be found in the CSRIC Final Report.

Hurricane Harvey Scams

Earlier this week, US-CERT issued a warning to users to be aware of potential malicious attacks taking advantage of the publicity surrounding Hurricane Harvey. Users are advised to be cautious when opening emails that appear to be related to Hurricane Harvey, even if it appears to be from a valid source.  Malicious emails will likely contain attachments or links to malware-infected or phishing sites.

US-CERT recommends users to abide by the following practices:

  • Review the Federal Trade Commission’s advisory on donating to charities in the wake of Hurricane Harvey.
  • Do not open links in unsolicited emails.
  • Exercise caution when opening email attachments.
  • Verify the legitimacy of email solicitation or go directly to a trusted source.
  • Installing patches and keeping antivirus up-to-date.