Abstract | ||
---|---|---|
The global telephone network is relied upon by billions every day. Central to its operation is the Signaling System 7 (SS7) protocol, which is used for setting up calls, managing mobility, and facilitating many other network services. This protocol was originally built on the assumption that only a small number of trusted parties would be able to directly communicate with its core infrastructure. As a result, SS7 - as a feature - allows all parties with core access to redirect and intercept calls for any subscriber anywhere in the world. Unfortunately, increased interconnectivity with the SS7 network has led to a growing number of illicit call redirection attacks. We address such attacks with Sonar, a system that detects the presence of SS7 redirection attacks by securely measuring call audio round-trip times between telephony devices. This approach works because redirection attacks force calls to travel longer physical distances than usual, thereby creating longer end-to-end delay. We design and implement a distance bounding-inspired protocol that allows us to securely characterize the round-trip time between the two endpoints. We then use custom hardware deployed in 10 locations across the United States and a redirection testbed to characterize how distance affects round trip time in phone networks. We develop a model using this testbed and show Sonar is able to detect 70.9% of redirected calls between call endpoints of varying attacker proximity (300-7100 miles) with low false positive rates (0.3%). Finally, we ethically perform actual SS7 redirection attacks on our own devices with the help of an industry partner to demonstrate that Sonar detects 100% of such redirections in a real network (with no false positives). As such, we demonstrate that telephone users can reliably detect SS7 redirection attacks and protect the integrity of their calls. |
Year | DOI | Venue |
---|---|---|
2018 | 10.1109/SP.2018.00006 | 2018 IEEE Symposium on Security and Privacy (SP) |
Keywords | Field | DocType |
telephone security,distance bounding,SS7 | Telephone network,Computer science,Computer security,Testbed,Sonar,Phone,Round-trip delay time,Telephony,False positive paradox,The Internet | Conference |
ISSN | ISBN | Citations |
1081-6011 | 978-1-5386-4354-9 | 1 |
PageRank | References | Authors |
0.35 | 31 | 7 |
Name | Order | Citations | PageRank |
---|---|---|---|
Christian Peeters | 1 | 3 | 2.43 |
Hadi Abdullah | 2 | 6 | 2.46 |
Nolen Scaife | 3 | 97 | 9.67 |
Jasmine Bowers | 4 | 10 | 3.51 |
Patrick Traynor | 5 | 1171 | 87.80 |
Bradley Reaves | 6 | 268 | 22.81 |
Kevin Butler | 7 | 675 | 49.73 |