Showing posts with label SS7. Show all posts
Showing posts with label SS7. Show all posts

Sunday, 9 August 2015

Diameter Security is worse than SS7 Security?


Back in December last year, there was a flurry of news about SS7 security flaw that allowed hackers to snoop on an unsuspecting users calls and SMS. The blog readers will also be aware that SS7 is being replaced by the Diameter protocol. The main reason being to simplify roaming while at the same time being able to manage the signalling storm in the networks.


The bad news is that while is case of SS7, security issues are due to network implementation and configuration (above pic), the security issues in Diameter seem to be due to the protocol and architecture themselves (below pic)


Diameter is very important for LTE network architecture and will possibly continue in the future networks too. It is very important to identify all such issues and iron them before some hackers start exploiting the network vulnerabilities causing issues for everyone.

The presentation by Cédric Bonnet, Roaming Technical Domain Manager, Orange at Signalling Focus Day of LTE World Summit 2015 is embedded below:


From SS7 to Diameter Security from Zahid Ghadialy

Some important information from this post has been removed due to a valid complaint.

Monday, 29 December 2014

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

The presentation is embedded below and can be downloaded from Slideshare:



xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress



Thursday, 7 June 2012

On Signalling Storm... #LTEWS


The Signalling Storm is coming, its not the question of 'if' but when. This was the unanimous message from the Signaling Focus Day of the 8th LTE World Summit 2012. Several high profile outages have been associated to the Signalling storm, NTT Docomo and Verizon being the main one. Luckily the Telenor outage was due to software issues.

The problem is divided into two parts, the Access network part where the Air Interface is the bottleneck and the core network part which can easily be swamped by the overwhelming amount of Signalling due to more intelligent billing system and always on devices with background applications generating much more amount of traffic as would have on an older system. Lets look at them in turn.

Core Network Signalling Storm:

As I reported earlier, Diameter has been highlighted as a way of salvation for the operators with dozens of use cases but due to its immaturity has caused outages and have given it a bad name. As Connected Planet mentions, "According to one signaling expert, launching the iPhone’s browser, for example, instantly sets off about fifteen individual network signaling requests. Beyond that, 4G network software elements supporting increasingly sophisticated mobile service scenarios “talk” to each other at rates that traditional TDM/SS7-based networks never had to deal with." Hopefully a stable implementation of Diameter protocol will help not only solve the signalling storm but will help generate new models for charging and revenue generation.

A presentation by Ed Gubbins of Current Analysis, comparing the big vendors of Diameter Signalling is available here.

Access Network Signalling Storm:

My thinking is that the Core Network Signalling problem will become an issue some years down the road whereas the Access Network Signalling problem will be seen sooner rather than later. In fact for 3G/HSPA the problem is becoming more visible as the market has matured and more and more users are moving towards using smartphones, Since LTE rollouts are in its infancy (in most markets) the problem is still some way away.

One of the reasons for Signalling storm is the incorrect APN name. I reported earlier about Telefonica's approach to solve this problem by using 'Parking APN', see here.

Also embedded below are couple of presentations from the Signalling Focus day that talk about the problem from Access Network point of view



Other Interesting Reading Material

Finally there is an excellent whitepaper from Heavy Reading titled "The Evolution of the Signalling Challenge in 3G & 4G networks", available here to download.

Another excellent article summarising the problem is from Huawei magazine available here.

Wednesday, 23 May 2012

#LTEWS: Highlights and Pictures of Signalling day from 8th LTE World Summit



I got a chance to attend the 'Handling the Surge in Signalling Traffic Focus day' at the LTE World Summit. In fact I got this opportunity through Diametriq, who were the sponsors of this event and were kind enough to provide me a free pass :) As a result, they get a little plug below.




We got off to a flying start with an Introduction to the need of Signaling followed by a brilliant presentation by Martin Pineiro from Telecom Personal, Argentina.


This was the only presentation that looked at the Access Network Signalling. All other presentations focussed on Diameter signaling. Telecom Personal have 4 carriers, 1 is used for 3G and other 3 for GSM.


Above is their revenue share for different services. The data services really took off for them when they offered a flat rate if 1 peso per day for unlimited data.


Their average dongle data consumption is 2GB/month and average smartphone is 200MB/month.


They do have a simple definition of Smartphone, which is a device that produces 10+ packet connections per day. The device that is most popular in their network is Motorola and Apple devices produce highest data load but their comparison of devices from different manufacturers showed they all produced similar signalling traffic. 

One final point highlighted was that OS & Apps are not part of test and certification so we should get better understanding of that to help avoid signalling overload in future.

Ron de Lange from Tekelec was up next:


Interesting to hear that they are 40 year old company with 300+ customers in 100+ countries.



There is a shift coming in the usage plans with multi access roaming. Some sessions will go over WiFi and some over the mobile network. Plans with OTT allowance are already here and will be more common. There may be opportunity for end users to earn allowance as part of loyalty scheme. The main thing for operator to think is how to get a revenue share from advertisement.



Diameter 2.0 is coming. The signalling storms, if not handled properly can cause disruption (congestion) internationally, if the interconnect is not handled properly.

Next up was Ben Volkow, F5 Traffix:

Today we use Diameter 1.0, tomorrow it would be Diameter 2.0. Diamater 2.0 us "nervous system" approach.


Diamater is much less predictable than SS7 but this could be because of Immaturity of Diameter.


Real networks like the one above is out in the field. An example of n/w is one with 140 point to point connections.


DRA (Diameter Routing Agent) is a new topology introduced by 3GPP and DEA (Diameter Edge Agent) was introduced by GSMA.


The network does not want to spend million of dollars in one go so they start by deploying individual components first and then depending on the use cases this scales up as they add more components.

Next up was the Panel Discussion:


Key points:
  • Diameter is first protocol that has dedicated vendors offering monetisation of protocol as well
  • Early operators would have deployed Diameter 1.0 so they can evolve by putting DRA for one use case and so on.
  • When operators want to monetise using diameter, the signalling problems may become worse
  • Adding VoLTE may increase Diameter Signalling by 3 times
  • What is meant by monetisation of Diamater is that in SS7, the focus was on reliability, etc. but in Diameter, the operators can leverage PCRF and as a result monetisation. A new use case can also be a OTT proxy that can leverage advertisement revenue. 
  • The forecast for Diameter is couple of 100 million for this year and growing. There are many components including Router, Roaming, Charging, Security, Interconnect capability, Aggregating relationships with small carriers and OTT service providers, etc.


Next up was Marjan Mursec of Telecom Slovenia

Some interesting facts from them is that they have a public WLAN n/w, GSM with EDGE as fallback and have rolled out HD voice. Their Data usage surpasses voice and Voice and SMS is still growing as can be seen below.



Above shows the data usage increase after they rolled out all you can eat package. They were then forced to introduce fair usage policy.

Their upgrade paths include RAN, Core, Backhaul.


They think they have a big signalling challenge over S1-MME interface. One wrong configured user is sending 4 requests/second. 12,500 users can be enough to reach congestion (ZG: Maybe they should look at PDP Context Parking). Over the S1-U interface, Narrowband users can send 50 packets/sec. 40,000 users at 13.6kbps can saturate the network and the routers will be overloaded.

Next up was Ajay Joseph from iBasis:


Interesting to see that GRX is a service in IPX above.


I think the main point of above is that Diameter by itself is not enough and a mechanism like IPX is required for roaming scenario.


For LTE a new service called LTE Signalling exchange (LSX) can be created within IPX. iBasis has just launched Sandbox for testing Roaming, Charging, Interoperability, etc.

Will LSX bring the roaming costs down? Its operators call but it does provide a foundation and in the next 2-3 years, data roaming costs should come down dramatically.

It should be noted that GRX is an IP network without QoS. Its a service within IPX. Security is also a service within IPX and GSMA based compliance should be there for proper and secure interoperability.

Voice over IPX is not of much interest, especially because there is no return of investment and HD voice cant be send over IP.

Next up was Douglas Ranalli from NetNumber:

His slides are self explanatory




One question during Q&A was, why not put this functionality in the cloud and avoid complexity of having another physical box in the system. The answer was that CDRB is implemented to be compliant with cloud deployment but operators have not yet taken this step. The customers are deploying physical boxes but shared infrastructure would be much more efficient.

Next up was Doug Alston from Sprint:



Next up was Anjan Ghosal from Diametriq:






Everyone is talking about LTE-LTE roaming but there is a need for LTE-3G and LTE-2G so some translation may be required between Diameter and SS7.


Diametriq provides a single platform for signalling between any service (2G/3G/4G) and possibility to enhance.

Next up was another Panel Discussion:


One observation is made is that as compared to the ITM Optimisation event, where the operators were more worried about the OTT players eroding revenues, the focus here was that how Diameter can help monetise the OTT services,

Next up was Edward Gubbins from Current Analysis:




The Final presentation was from Julius Mueller from Fraunhofer FOKUS:




As usual, Dimitris Mavrakis was up to the mark and chaired the whole day very well.

To end an enjoyable day even better, iBasis invited the attendees for drinks on the Hilton Terrace, which is next to CCIB and complemented the drinks with some delicious Tapas as can be seen below :)






E&OE. In case if have misheard, misquoted, etc. please feel free to correct me via comments in this post.

For all the action from LTE World Summit for the next 2 days, please follow twitter #LTEWS.

Please let me know by using the voting buttons below if you found it useful or not.