Signalling System No. 7
Signalling System No. 7 | |
Status | In force |
---|---|
Year started | 1984 |
Latest version | (03/93) March 1993 |
Organization | ITU-T |
Committee | Study Group XI, WTSC |
Related standards | Q.701, Q.711 |
Domain | telephony |
Website | https://www.itu.int/rec/T-REC-Q.700 |
Signalling System No. 7 (SS7) is a set of
The protocol was introduced in the Bell System in the United States by the name Common Channel Interoffice Signaling in the 1970s for signalling between No.
SS7 has been shown to have several security vulnerabilities, allowing location tracking of callers, interception of voice data, intercept two-factor authentication keys, and possibly the delivery of spyware to phones.[4]
The Internet Engineering Task Force (IETF) has defined the SIGTRAN protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called Pseudo SS7, it is layered on the Stream Control Transmission Protocol (SCTP) transport mechanism for use on Internet Protocol networks, such as the Internet.
In North America SS7 is also often referred to as Common Channel Signaling System 7 (CCSS7). In the United Kingdom, it is called C7 (CCITT number 7), number 7 and Common Channel Interoffice Signaling 7 (CCIS7). In Germany, it is often called Zentraler Zeichengabekanal Nummer 7 (ZZK-7).
History
Signaling System No. 5 and earlier systems use in-band signaling, in which the call-setup information is sent by generating special multi-frequency tones transmitted on the telephone line audio channels, also known as bearer channels. As the bearer channel are directly accessible by users, it can be exploited with devices such as the blue box, which plays the tones required for call control and routing. As a remedy, SS6 and SS7 implements out-of-band signaling, carried in a separate signaling channel,[5]: 141 thus keeping the speech path separate. SS6 and SS7 are referred to as common-channel signaling (CCS) protocols, or Common Channel Interoffice Signaling (CCIS) systems.
Another element of in-band signaling addressed by SS7 is network efficiency. With in-band signaling, the voice channel is used during call setup which makes it unavailable for actual traffic. For long-distance calls, the talk path may traverse several nodes which reduces usable node capacity. With SS7, the connection is not established between the end points until all nodes on the path confirm availability. If the far end is busy, the caller gets a busy signal without consuming a voice channel.
Since 1975, CCS protocols have been developed by major telephone companies and the International Telecommunication Union Telecommunication Standardization Sector (ITU-T); in 1977 the ITU-T defined the first international CCS protocol as
The Internet Engineering Task Force (IETF) defined SIGTRAN protocols which translate the common channel signaling paradigm to the IP Message Transfer Part (MTP) level 2 (M2UA and M2PA), Message Transfer Part (MTP) level 3 (M3UA) and Signaling Connection Control Part (SCCP) (SUA).[citation needed] While running on a transport based upon IP, the SIGTRAN protocols are not an SS7 variant, but simply transport existing national and international variants of SS7.[6][clarification needed]
Functionality
Signaling in telephony is the exchange of control information associated with the setup and release of a telephone call on a telecommunications circuit.[7]: 318 Examples of control information are the digits dialed by the caller and the caller's billing number.
When signaling is performed on the same circuit as the conversation of the call, it is termed
In contrast, SS7 uses
Because of the mechanisms in use by signaling methods prior to SS7 (battery reversal,
The earliest deployed upper-layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release of telephone calls.
Because SS7 signaling does not require seizure of a channel for a conversation prior to the exchange of control information, non-facility associated signaling (NFAS) became possible. NFAS is signaling that is not directly associated with the path that a conversation will traverse and may concern other information located at a centralized database such as service subscription, feature activation, and service logic. This makes possible a set of network-based services that do not rely upon the call being routed to a particular subscription switch at which service logic would be executed, but permits service logic to be distributed throughout the telephone network and executed more expediently at originating switches far in advance of call routing. It also permits the subscriber increased mobility due to the decoupling of service logic from the subscription switch. Another ISUP characteristic SS7 with NFAS enables is the exchange of signaling information during the middle of a call.[7]: 318
SS7 also enables Non-Call-Associated Signaling, which is signaling not directly related to establishing a telephone call.[7]: 319 This includes the exchange of registration information used between a mobile telephone and a home location register database, which tracks the location of the mobile. Other examples include Intelligent Network and local number portability databases.[7]: 433
Signaling modes
Apart from signaling with these various degrees of association with call set-up and the facilities used to carry calls, SS7 is designed to operate in two modes: associated mode and quasi-associated mode.[9]
When operating in the associated mode, SS7 signaling progresses from switch to switch through the Public Switched Telephone Network following the same path as the associated facilities that carry the telephone call. This mode is more economical for small networks. The associated mode of signaling is not the predominant choice of modes in North America.[10]
When operating in the quasi-associated mode, SS7 signaling progresses from the originating switch to the terminating switch, following a path through a separate SS7 signaling network composed of signal transfer points. This mode is more economical for large networks with lightly loaded signaling links. The quasi-associated mode of signaling is the predominant choice of modes in North America.[11]
Physical network
SS7 separates signaling from the voice circuits. An SS7 network must be made up of SS7-capable equipment from end to end in order to provide its full functionality. The network can be made up of several link types (A, B, C, D, E, and F) and three signaling nodes –
The links between nodes are full-duplex 56, 64, 1,536, or 1,984 kbit/s graded communications channels. In Europe they are usually one (64 kbit/s) or all (1,984 kbit/s)
In Europe, SS7 links normally are directly connected between switching exchanges using F-links. This direct connection is called associated signaling. In North America, SS7 links are normally indirectly connected between switching exchanges using an intervening network of STPs. This indirect connection is called quasi-associated signaling, which reduces the number of SS7 links necessary to interconnect all switching exchanges and SCPs in an SS7 signaling network.[12]
SS7 links at higher signaling capacity (1.536 and 1.984 Mbit/s, simply referred to as the 1.5 Mbit/s and 2.0 Mbit/s rates) are called
SIGTRAN provides signaling using SCTP associations over the Internet Protocol.[7]: 456 The protocols for SIGTRAN are M2PA, M2UA, M3UA and SUA.[14]
SS7 protocol suite
SS7 protocols by OSI layer | |
Application | INAP, MAP, IS-41... TCAP, CAP, ISUP, ... |
---|---|
Network | MTP Level 3 + SCCP |
Data link | MTP Level 2 |
Physical | MTP Level 1 |
The SS7
The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network interface, information transfer, message handling and routing to the higher levels. Signaling Connection Control Part (SCCP) is at functional Level 4. Together with MTP Level 3 it is called the Network Service Part (NSP). SCCP completes the functions of the OSI network layer: end-to-end addressing and routing, connectionless messages (UDTs), and management services for users of the Network Service Part (NSP).[15] Telephone User Part (TUP) is a link-by-link signaling system used to connect calls. ISUP is the key user part, providing a circuit-based protocol to establish, maintain, and end the connections for calls. Transaction Capabilities Application Part (TCAP) is used to create database queries and invoke advanced network functionality, or links to Intelligent Network Application Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile services.
BSSAP
BSS Application Part (BSSAP) is a protocol in SS7 used by the
BSSAP provides two kinds of functions:
- The BSS Mobile Application Part (BSSMAP) supports procedures to facilitate communication between the MSC and the BSS pertaining to resource management and handover control.
- The Direct Transfer Application Part (DTAP) is used for transfer of those messages which need to travel directly to mobile equipment from MSC bypassing any interpretation by BSS. These messages are generally pertaining to mobility management (MM) or call management (CM).
Protocol security vulnerabilities
In 2008, several SS7 vulnerabilities were published that permitted the tracking of mobile phone users.[17]
In 2014, the media reported a protocol vulnerability of SS7 by which anyone can
In February 2016, 30% of the network of the largest mobile operator in Norway, Telenor, became unstable due to "unusual SS7 signaling from another European operator".[23][24]
The security vulnerabilities of SS7 have been highlighted in U.S. governmental bodies, for example when in April 2016 Congressman Ted Lieu called for an oversight committee investigation.[25]
In May 2017,
In March 2018, a method was published for the detection of the vulnerabilities, through the use of open-source monitoring software such as Wireshark and Snort.[27][28][29] The nature of SS7 normally being used between consenting network operators on dedicated links means that any bad actor's traffic can be traced to its source.
An investigation by
In 2024, Kevin Briggs, an official at the Cybersecurity and Infrastructure Security Agency, reported to the FCC that hacks related to SS7 and Diameter had been used "numerous attempts" to acquire location data, voice and text messages, deliver spyware, and influence voters in the US.[31]
See also
References
- ^ T.J. Cieslak, L.M. Croxall, J.B. Roberts, M.W. Saad, J.M. Scanlon, No.4 ESS: Software Organization and Basic Call Handling, Bell System Technical Journal 56(7), p.1113 (September 1977).
- ^ B. Kaskey, J.S. Colson, R.F. Mills, F.H. Myers, J.T. Raleigh, A.F. Schweizer, R.A. Tauson, Common Channel Interoffice Signaling: Technology and Hardware, Bell System Technical Journal 57(2), p379 (February 1978)
- ^ a b c "ITU-T Recommendation Q.700". 1993-03-01.
{{cite journal}}
: Cite journal requires|journal=
(help) - ISSN 0013-0613. Retrieved 2024-05-28.
- ^ ISBN 0-672-22498-4.
- .
- ^ ISBN 978-0-07-138772-9.
- ^ "ITU-T Recommendation Q.700, section 3.2.1". 1993-03-01: 7.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "ITU-T Recommendation Q.700". 1993-03-01: 4.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ (Dryburgh & Hewitt 2004, pp. 22–23).
- ^ (Dryburgh & Hewitt 2004, p. 23).
- ^ "ITU-T Recommendation Q.700, section 2.2.3". 1993-03-01: 4–5.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b "ITU-T Recommendation Q.703, Annex A, Additions for a national option for high speed signaling links". International Telecommunication Union. pp. 81–86.
- ^ "Understanding the Sigtran Protocol Suite: A Tutorial | EE Times". EETimes. Retrieved 2016-06-30.
- ^ "ITU-T Recommendation Q.711, section 1": 1-2.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "3GPP TS 48.008, Mobile Switching Centre - Base Station System (MSC-BSS) interface; Layer 3 specification".
- ^ Archived at Ghostarchive and the Wayback Machine: Engel, Tobias (2008-12-27). "Locating Mobile Phones using SS7" (Video). Youtube. 25th Chaos Communication Congress (25C3). Retrieved 2016-04-19.
- ^ Timburg, Craig (24 August 2014). "For sale: Systems that can secretly track where cellphone users go around the globe". The Washington Post. Retrieved 27 December 2014.
- ^ Timburg, Craig (18 December 2014). "German researchers discover a flaw that could let anyone listen to your cell calls". The Washington Post. Retrieved 19 December 2014.
- Qualcomm chip
- ^ Karsten Nohl (2014-12-27). "Mobile self-defence" (PDF). Chaos Communication Congress. Archived (PDF) from the original on 2014-12-31.
- ^ "SnoopSnitch". Google Play. August 15, 2016.
- ^ "Feilen i mobilnettet er funnet og rettet" (in Norwegian). Telenor ASA.
- ^ "SS7 signalering – Et ondsinnet angrep mot Telenor ville hatt samme konsekvens" (in Norwegian). digi.no / Teknisk Ukeblad Media AS. Archived from the original on 2016-02-23. Retrieved 2016-02-23.
- ^ "US congressman calls for investigation into vulnerability that lets hackers spy on every phone". The Guardian. April 19, 2016.
- ^ Khandelwal, Swati. "Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts". The Hacker News. Retrieved 2017-05-05.
- ^ Corletti Estrada, Alejandro. "Análisis de ataques/vulnerabilidades SS7/Sigtran empleando Wireshark (y/o tshark) y Snort". Metodología de detección de vulnerabilidades SS7/Sigtran (in European Spanish). Archived from the original on 2018-04-03. Retrieved 2018-03-31.
- ^ Corletti Estrada, Alejandro. "Analysis of attacks/vulnerabilities SS7/Sigtran using Wireshark (and/or tshark) and Snort". Vulnerability detection methodology SS7/Sigtran. Archived from the original on 2018-04-03. Retrieved 2018-03-31.
- ^ "Definitive guide to SS7/Sigtran Attack and Preventive Measures". Full Research on SS7/Sigtran Attack Vector, Exploits and Preventive Measures. 2019-01-28. Retrieved 2020-07-03.
- ^ "Spy companies using Channel Islands to track phones around the world". 16 December 2020. Archived from the original on 19 December 2020. Retrieved 19 December 2020.
Data reviewed by the Bureau shows that a series of signals designed to reveal phone location were sent to a US-registered mobile belonging to the yacht's skipper, Hervé Jaubert, the day before commandos stormed the yacht and seized the princess. The effort appears to have been part of a huge bid by the Emiratis – mobilising boats, a surveillance plane and electronic means – to track down the fleeing princess. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos and the USA.
- ISSN 0013-0613. Retrieved 2024-05-28.
Further reading
- Dryburgh, Lee; Hewitt, Jeff (2004). Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Services. Indianapolis: Cisco Press. ISBN 1-58705-040-4.
- Ronayne, John P. (1986). "The Digital Network". Introduction to Digital Communications Switching (1st ed.). Indianapolis: Howard W. Sams & Co., Inc. ISBN 0-672-22498-4.
- Russell, Travis (2002). Signaling System #7 (4th ed.). New York: McGraw-Hill. ISBN 978-0-07-138772-9.