18
1 | Page STUDY PAPER ON SS7 Security ……TSA Division, TEC
1 | P a g e
STUDY PAPER ON
SS7 Security
……TSA Division, TEC
2 | P a g e
INDEX:
i. Introduction………………………………………….…3
ii. Signalling System No. 7…………………………….….4
iii. Security Issues in SS7…………………………....…….5
iv. Mitigation of Attacks………………………………….12
v. Best Practices………………………………………….13
vi. Future Relevance of Attacks………………………….14
vii. Worldwide Attacks in SS7…………………………….15
viii. Conclusion……………………………………………...16
ix. Glossary………………………………………………...17
x. References……………………………………………...18
3 | P a g e
1. INTRODUCTION:
Common Channel Signalling System No. 7 (SS7 or C7) is a global standard for
telecommunications defined by the International Telecommunication Union (ITU)
Telecommunication Standardization Sector (ITU-T). The standard defines the procedures and
protocol by which network elements in the public switched telephone network (PSTN)
exchange information over a digital signalling network to effect wireless (cellular) and wireline
call setup, routing and control.
Traditionally SS7 is based on “Walled Garden approach” which means solely based on mutual
trust between the interconnecting operators. Operators relied on their trust in other operators to
play by the rules, and the SS7 network has been regarded as a closed trusted network.
But in present scenario this is not valid. Network providers are opening up their SS7 networks
for third parties as their commercial offerings which may introduce vulnerabilities in the
existing network.
Attacks on SS7 sometime may have a severe effect and depending upon the nature of protocol
it will allow access to information such as user location and call/SMS details and in turn also
effect financial services. Hence an urgent need rises to analyse the security gaps in such
networks and implement the needed controls to close these gaps
In this paper we will examine the attacks against SS7 and look into the basic security
mechanism aiming the mitigation of those attacks. This paper also addresses the best practices
which needs to be adopted to address SS7 insecurities and increase the core network security
posture.
4 | P a g e
2. Signalling System No. 7:
The Signalling System Number Seven (SS7) is a suite of protocols that were standardized in
the 1980s in ITU-T Q.700 series. New protocols added in the 1990s and 2000s by ETSI and
3GPP to support mobile phones and the services they need (roaming, SMS, data).
Fig 1: CCS7 Protocol Stack
The Mobile Application Part (MAP) is an SS7 protocol that provides an application layer for
the various nodes in GSM and UMTS mobile core networks and GPRS core networks to
communicate with each other in order to provide services to mobile phone users. The Mobile
Application Part is the application-layer protocol used to access the Home Location Register,
Visitor Location Register, Mobile Switching Centre, Equipment Identity Register,
Authentication Centre, Short message service Centre and Serving GPRS Support Node
(SGSN).
The Customized Applications for Mobile Network Enhanced Logic (CAMEL) was introduced
to allow mobile operators to build custom services that were not possible through MAP.
SS7 was traditionally served over Time Division Multiplexing (TDM) networks but with the
evolvement of IP networks, SIGTRAN was introduced as part of the SS7 protocol family and
uses an IP protocol called Stream Control Transmission Protocol (SCTP) as the transport layer
for SS7.
SS7 protocol suite has its diverse application across the global telecommunication network. It
is the signalling protocol used between the control elements in the mobile core network. When
a mobile is switched on, the identification, authentication and registration of the Subscriber
MTP Level 1
MTP Level 2
Ethernet
IP
SCTP
MTP Level 3
ISUP
SCCP
TCAP
M2UA
CAP MAP
SS7
SIGTRANN
5 | P a g e
Identity Module takes place through SS7 based signalling. SS7 is also needed each time we
make a telephone call which goes beyond local exchange.
Other than as mentioned above SS7 network and protocol has following applications:
1.Call establishment, management and release.
2. Short Message Service (SMS)
3. Supplementary services by the mobile operators such as Call Number Display (CND), call
waiting and call forwarding.
4. Line Information Database (LIDB) which has information related to subscriber's identification such as name and address along with billing information.
5. Local Number Portability (LNP)
6. Toll-free numbers for telemarketing
7. Televoting
8. Enhanced Messaging Services (EMS) such as logos and ringtone delivery.
9. Call blocking (Do-not-call enforcement)
3.SECURITY ISSUES IN SS7:
SS7 protocols was designed on time when it was used by only closed community of telecom
operators and mainly built on mutual trust and cooperation between those operators.
Regardless of the advancement in IP-based mobile technologies, SS7 still continues to
dominate the telecommunication world because it has become the backbone of Global System
for Mobile Communications (GSM) systems and all new cellular technologies based on it.
However, the mobile networks are no longer the realm of a few trusted national operators.
Newer technologies like SIGTRAN and Session Initiation Protocol (SIP) have increased the
entry points to mobile core network and the opening of the telecommunications market for
competition has increased the number of “trusted” operators far beyond what was originally
intended. Hence, today SS7 is no longer a close network and is also used for interconnectivity
between mobile network operator networks and to enable roaming and cellular services across
operator domains.
Due to security point of view SS7 was designed with very few and weak mechanism of
Authentication and authorization.
In the last quarter of 2014, several successful attacks using the SS7 network such as
eavesdropping, tracking of user, SMS spoofing and SMS redirect, have been demonstrated.
However, an in-depth technical research of these attacks from the mobile network provider’s
point of view to understand the vulnerabilities in the existing systems has been lacking.
In the next sections, we will examine some of the attacks against SS7 controls and eventually
propose certain mechanisms that can limit the effect of these attacks.
3.1 Call and SMS interception:
Intercepting communications has always been the ultimate target for any espionage operations.
In the old days of wired phones, the attackers physically tap into the wire to be able to listen to
an ongoing call.
In the age of mobile communication, the call is transmitted over the radio between the calling
parties and the mobile networks. Normally the traffic is encrypted over the air interface. The
encryption is done using either A5/1 or A5/3 protocols. Recently the A5/1 suite has also been
6 | P a g e
broken and it is possible to decrypt the calls transferred over the air interface using cheap radio
interceptors and rainbow tables. As a result, the operators started to roll out the stronger
ciphering protocol A5/3 to combat such attacks.
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for
cracking password hashes.
3.1.1 Call Interception using send Identification:
Fig 2 : Using sendIdentification for call Interception
Send Identification is a MAP message which is used in inter MSC Handover process.
The mobile switching center MSC normally holds the encryption keys used by each subscriber
to be able to establish the call. When the subscriber is moving, due to handover process the
smooth transition of the subscriber between the different radio cells happens while maintaining
the call progress.
In some cases the subscriber moves from one cell to another which may be in different VLR.
In this case, the new VLR does not initially have the authentication information that would
facilitate the call, hence an inter MSC handover process is needed to transfer the keys to the
new MSC.
This is done through “sendIdentification”. The new VLR sends a “sendIdentification “ message
to the old VLR, which in turn responds with the keys needed to maintain the ongoing
call.Among these keys are the key used to encrypt the traffic over the air.
During the attackes, the attacker captures the targets traffic over the air interface (requiring
physical proximity from the target). With access to SS7, he can then use the sendIdentification
message to retrieve the decryption keys for the target and use it to decrypt the traffic.
3.1.2 Interception using 3G IMSI Catcher:
Second Generation (2G) networks did not offer the concept of mutual authentication, where
the network authenticates itself to the subscriber. This made the subscriber vulnerable to an
attack known as the 2G IMSI catcher. In this scenario,the attacker using a rogue radio cell
could announce the same network as a legitimate network with higher power than the normal
network. The target would then connect unknowingly to the rogue cell instead of the legitimate
network. The attacker intercepts the call, and then forwards it to its destination.
In 3G networks, such attack was not possible, since the network has to authenticate back to the
subscriber before a call is established. However with access to SS7, the attacker can send
MSC Global SS7 MSC
PVLR VLR Send identification
7 | P a g e
another MAP message called sendAuthenticationInfo to the HLR to get the info needed to
successfully impersonate the legitimate network.
Fig 3: 3G IMSI Catcher with sendAuthentication Info
3.1.3 SMS Interception :
The update Location message is used to update the subscriber’s location in the network. It
informs the network of which VLR/MSC the subscriber is currently connected to.
Figure 4. Update subscriber location with a fake location
8 | P a g e
Figure 5. Attacker receives SMS intended to the user
Using a fake updateLocation message the attacker claims that the victims MS is connected to
their MSC. In this case, the subscriber SMSs will be forwarded to the attacker’s SMS center to
be delivered to the MS. In addition to intercepting personal SMSs of the target, this attack can
be used against authentication systems that utilize SMS verification (SMS token, Facebook
verification, etc.) and could lead to the compromise of the target’s identity.
3.2 Location Tracking:
With growing number of mobile phone users, number of services that the mobile user demands
is increasing. There exists many location based services in which user allows the application
vendors to learn about their location. However, the insufficiently protected nodes in mobile
communication networks would also disclose the location without user's consent.Some of SS7
vulnerabilities that can facilitate location tracking are as follows:
3.2.1 Attack using call setup messages
This attack using the normal working message flow of the call set up messages to know the
approximate location of the user (or MS). Successful completion of this attack as per would
reveal the IMSI (which is supposed to be a secret), global title of the MSC (which identifies
the MSC uniquely in the global network and its geo-location) and error messages if the phone
is turned off.
9 | P a g e
Figure 6: Location disclosure using call setup messages.
In this scenario Attacker impersonate as GMSC, send MAP SRI message enclosing the
MSISDN (phone number) to the HLR. Since there is no authentication check made, HLR thinks
someone is trying to call to the provided MSISDN and processes the message,which in turn
through communication with VLR get knowledge about MSRN containign IMSI and GT of
MSC/VLR to which subscriber is connected.This information inturn passes to attacker
impersonating as GMSC and thus location of subscriber will get passed to attacker.
3.2.2 Location disclosure using CAMEL Location Management Function Messages:
Customized Applications for Mobile Networks Enhanced Logic (CAMEL) is an overlay on
MAP logical layer. As part of location management function, the net-work providers can send
Any Time Interrogate (ATI) messages to the HLR from CAMEL platforms to obtain the cell
ID or location of the user along with which it can provide the subscriber information such as
billing data and International Mobile Station Equipment Identity (IMEI).
This Cell-ID can be acquired by attacker which can be thus used to determine the actual
location of subscriber.
Figure 7: Abusing anyTimeInterrogation message to acquire target’s location
10 | P a g e
3.2.3 Location tracking (ProvideSubscriberInfo (PSI)):
In case the ATI message has been filtered, the attacker can still send the provideSubscriberInfo
message directly to the MSC/VLR that the subscriber is currently connected. The attacker will
first need to find out the IMSI and address of the MSC using a message like
sendRoutingInfoForSM that returns the Global Title (GT) address of the MSC.
Figure 8. Acquiring cell ID using ProvideSubscriberInfo
3.2.4 Hybrid Attack using SMS and CAMEL messages:
Though anyTimeInterrogation is part of some of the location finder application services , many
network operators block (filter) it for security purposes and hence attacker might not get
anyTimeInterrogation request message in return always. However, attacker can bypass that
using a hybrid attack by directly querying the MSC/VLR. The Figure 9 below, describes such
hybrid attacks of circumventing anyTimeInterrogation filters imposed by network operators.
Attacker can send Provide Subscriber Info request to the MSC/VLR by impersonating as HLR.
However this will be treated by MSC/VLR only if the IMSI is provided by the HLR. Since we
assume that the attacker just knows the MSISDN or phone number of the victim, the attacker
should get the IMSI first.
11 | P a g e
Figure 9: Location disclosure hybrid attack.
3.3 SS7 AND SIGTRAN:
Being an addendum of SS7 suite, SIGTRAN supports call management and application models
of SS7 but over the Internet Protocol (IP) and the transport-layer called Stream Control
Transmission Protocol (SCTP). SIGTRAN facilitates adaptation of Voice over IP (VoIP)
networks to the PSTN signalling. An attacker can use SCTP stealth scanning methodologies to
explore the vulnerable ports in the SS7 core network.
One of the useful tools to scan SCTP-enabled network elements is SCTPScan which scans
machines having major operating systems such as Linux, BSD, MacOS X and Solaris. It allows
the attacker to find entry points to the telecom core network infrastructure along with mapping
them.
SCTPScan uses the INIT (Initiation) chunk of SCTP packet and listen to the INIT ACK
message to learn the live host machines and open ports.
12 | P a g e
Figure 10: (a) SCTP full 4 way handshake (b) SCTP scan by attacker
4. MITIGATION OF ATTACKS: Since mobile core network consists of assorted protocols, applications, platforms and
implementations, a concrete amalgamation between the underlying systems is required to build
a defense mechanism against the attacks. A heterogeneous attack management system to
protect the distributed architecture of telecommunication core network should facilitate secure
communication infrastructure through authentication, encryption and access control
mechanisms.
4.1 BOUNDARY DEFENSES:
Security of network can be strengthened by creating hardened network perimeter. i.e by
establishing a clear and secure boundary to the network. Boundary defenses such as an SS7-
aware firewalls and IDS/IPSs that has the capability of understanding SS7/MAP traffic and
detect/block these attacks. Some of mechanisms are explained below:
i. SSPs are the entry points to SS7 core network from the RAN network, an authentication
component deployed at each every SSP will restrict the attacks that try to gain core network
access.
ii. While studying the attacks abusing mobile core network, it was evident that attackers misuse
the interconnection between multiple operators at STPs. Attackers often masquerade as
roaming partners and try to establish connection to target STPs by their GT or SSN, and then
exploit the system by issuing unexpected network internal commands. Such malicious
activities can be stopped by implementing a sophisticated STP firewall system to monitor the
interconnection.
An intuitive firewall can be overlaid onto the existing network; by situating the firewalls at SS7
interconnect points. An advanced analysis and reporting module accompanying the firewall
can perform real-time inspection and report it to the firewall for policy changes.
iii. Since SCPs deal with sensitive data, the messages addressed to SCPs have to be scrutinized
carefully for their authenticity. An access control module situated just before SCPs can control
restrict illegitimate messages from unauthenticated network entities. Furthermore, a real-time
13 | P a g e
fraud analyser interfaced with SCPs in conjuncture with the access control module can be
useful to analyse doubtful messages that have bypassed the access control mechanisms. These
measures can help to protect the subtle subscriber information residing in the SCPs (such as
HLR and EIR) from illegitimate accesses.
4.2 Maintenance, Monitoring & Analysis of Audit Logs:
Log the usage of specific MAP messages, either using native logging capabilities of the core
network elements or through logs provided by quality of service nodes deployed to monitor
network quality. These logs can then be analysed for abnormalities such as those resulting from
all category of attacks.
An example of correlation would be receiving an update Location message from an external
entity in a short period of time after receiving another message internally. This scenario is not
normal in reality since it means that the user has travelled abroad in a very short period of time,
indicating an attack against that user.
5.BEST PRACTICES:
Some of the best practices that can be incorporated by both mobile network operators and
providers are enlisted below:
i. High priority messages like Any Time Interrogation and MAP Send Parameters is purely
internal. Hence any such message from an external network should be filtered out.
ii. Mobile network operators should completely remove dependency on handing over subscriber
IMSI and MSC GT to external networks. This mechanism can be adapted using proper
implementation of SMS home routing and optimal routing within the network. This forbids the
attackers at first place from executing interception and fraudulent attacks as they cannot locate their
victims.
iii. Messages like Insert Subscriber Data should be processed only after authenticating the origin
of the message. In case if they are originated from external networks or APIs, such requests should
be denied.
iv. Any information being sent out of HLR should be filtered based on checking the origin of
requester. Messages such as Update Location have to be checked with the previous MSC/VLR to
confirm the legitimacy of new VLR.
v. Network operators without roaming agreements should be blocked at interconnect STPs.
Transport layer firewalls (Layer 2 firewalls) as part of SCCP Routing Control (SCRC) to enforce
legitimate GT and SSN routing can be implemented to provide more security to the system. This
firewall can also be accompanied with application level firewalls (Layer 7 firewalls) to filter out
malicious MAP, CAP and supplementary (SS) service messages.
vi. Mobile operators should educate their subscribers to be aware of RAN network attacks such as
IMSI catchers, fake base stations and silent SMS by enforcing them to use user applications such
as ‘SnoopSnitch’ and ‘Darshak’.
14 | P a g e
6. FUTURE RELEVANCE OF ATTACKS
6.1 3G,4G and Beyond: Though SS7 protocol seems to be outdated, vulnerabilities in SS7 have affected newer
standards such as UMTS and LTE. SS7 enables the exchange of encryption keys and, hence,
even the UMTS encrypted communication over RAN can also be decrypted by mounting the
attack as explained above.
Contrary to all the attacks analysed in this paper against the mobile core network, there exist a
large number of attacks that exploit other vulnerabilities in SIM cards and the mobile Internet
(GPRS) as well as enable sniffing the RAN traffic. Even with the implementation of the latest
cryptography standards, mobile phones are still prone to clandestine surveillance programs, as
the encryption keys used at the root level (SIM cards) are too short to resist cyber espionage.
The attackers exploit basic cellular service workflow such as voice calls and text messages,
and hence not all the SS7 attacks can be blocked with simple filtering as it might affect the
regular working mechanisms of telecommunication systems. Furthermore, attacks on value-
added services such as Unstructured Supplementary Service Data (USSD), which is used for
monetary transactions can incur considerable financial loss to the victim or wipe out personal
data from the phone. Since banks and other governmental agencies are also involved besides
the mobile phone subscribers, USSD-based attacks can be catastrophic to a larger community.
6.2 SS7 and DIAMETER:
Currently through 4G everything is moving towards ‘all-IP’ connections and the IP based
Diameter protocol. Since the IP-based signalling protocols by default use IPsec to authenticate
connections, they have higher chances of providing sufficient security than SS7.
Diameter addresses a broader range of emerging technologies than just cellular access, such as
Mobile IP and the Internet of Things (IoT). Diameter is considered to be a peer-to-peer (P2P)
communication protocol. Being a P2P network, every node within the Diameter system can act
as a client or a server depending on the network deployment. Every peer within the system uses
dynamic peer discovery strategies including peer tables, which removes the need for the
manual configuration of the NAS.
One of the key measures to protect the core telecommunications network against network
breaches is by hiding the critical elements from outside exposure. In SS7, the Global Title
Translation (GTT) functionality helps to achieve network exposure by reducing the need of
disclosing the entire network’s element addresses in the routing tables of each and every node
of the network. GTT hides the critical infrastructure such as HLR and EIR, as STPs can resolve
the actual addresses of these elements using internal routing tables. This concept in Diameter
protocol is implemented by default in the Home Subscriber Service (HSS) which takes care of
GTT as well as mutual network terminal authentication. GTT and mutual terminal
authentication jointly can protect the system against SCTP port scanning and impersonation
attacks.
Another concern of the GSM/UMTS core networks is mapping the boundaries of the core
network by an attacker by penetrating deeper into the network using vulnerable ports exploiting
the interconnection gateways. The Diameter protocol prevents such penetration by topology
hiding in terms of critical infrastructure as well as routing paths.
15 | P a g e
Diameter uses Network Access Identifier (NAI), Challenge Handshake Authentication
Protocol (CHAP), Extensible Authentication Protocol (EAP) and Password Authentication
Protocol (PAP) for authentication which makes it relatively more secure than SS7.
One of issue in Diameter protocol is that is standardizes the use of IPSec and TLS in mobile
communication but use of them is mandatory. Also, there is no procedure to verify whether
IPSec or TLS have been used underneath the Diameter implementation of VPLMN. Moreover,
being a P2P protocol, Diameter is application based. The rate at which Diameter can send or
handle messages and the disclosure of interconnected peers or routes are dependent on the
application. The packets that a Diameter system can send depend on the application that
generates them rather than network settings. In such application driven environments, if there
is insufficient traffic to piggyback the acknowledgement messages, the underlying TCP or
SCTP protocols may cause more traffic with encrypted data. Furthermore, the application
decides the penetration or reachability of the signaling messages. The attacker can impersonate
at the application level and penetrate deeper into the core network. Hence Diameter cannot
completely ensure the core network security against spoofing and interception during
interconnection.
Yet another issue with Diameter protocol is that, it does not secure the system against DoS
attacks. Though the peers can recognize the malicious flooding messages, the failover
algorithms within Diameter implementation try to respond to the attacker with error messages.
The attacker can exploit this vulnerability to submerge the target peer with flooding messages
and hence execute a successful DoS attack.
But compared to SS7 ,DIAMTER through its AAA mechanism may provide a better and secure
solution.
7. WORLD WIDE ATTACKS IN SS7:
i. Attack in Ukraine SS7 Network :
This is one of the major incidents of SS7 attack as registered by NKRZI (which is the National
Commission for the State Regulation of Communications and Informatization in Ukraine),a
Ukrinian Telecom regulator in 2014.As per published reports, many Ukrainian mobile phones
holders have been affected by notorious SS7 packets that possibly derived from some other
nation. As a result,every details of mobile phones including addresses,contacts etc were
intercepted by attackers.
A series of SS7 packets were received by MTS Ukraine's SS7 network which modified control
information stored in network switches for a number of MTS Ukraine mobile users. In doing
so, when one of the affected mobile subscribers tried to ring someone else, their call would be
forwarded to a physical land line number in other location for interception.Through this
attackers also intercepted the calls illegaly.
ii. In 2010,due to malformed SS7 traffic, HLR of an European MNO crashed resulting into
12 hour downtime of the complete network.
16 | P a g e
8. CONCLUSION:
Telecommunication network is an intricate system made up of diverse subsystems built on
different technologies. While legacy systems are there to survive for the years to come, the
security of the whole system can be defined by the security level of the weakest link and
partner. The SS7 protocol was built for signaling between a handfuls of trusted
telecommunication partners, but it is still being used in the backbone of mobile communication
with an open market for new operators to serve more than half of the world population. SS7
may still continue to dominate mobile core network system for at least the next few years.
Moreover, integration of Internet technologies with telecommunication systems have produced
new ways for attackers to penetrate into the system. Popular hardware, software and operating
systems on personal computers provide the same functionality as sophisticated equipment used
in earlier day’s telecommunication environment, which means that the attacks no longer limited
by access to hardware or software.
Hence Security issues of SS7 may cause a serious concerns for Indian telecom Scenario and
operators should address these weakness and identify all possible mechanisms for addressing
those issues. In CERTIN ,Presently no seperate mechanism to report SS7 incidents and hence
proposed T-CERT should be encouraged to address SS7 security issues.
17 | P a g e
8. GLOSSARY:
i. AAA: Authentication, Authorization and Accounting
ii. BSS: Base Station Subsystem
iii. CHAP: Challenge-Handshake Authentication Protocol
iv. CAMEL: Customised Applications for Mobile network Enhanced Logic
v. EAP: Extensible Authentication Protocol
vi. GSM: Global System for Mobile communication
vii. GPRS:General Packet Radio Service
viii. GT: Global Title
ix. GT: Global Title Translation
x. HLR : Home Location Register
xi. IDS: Intrusion Detection System
xii. IMSI International Mobile Subscriber Identity
xiii. INTI:Initiation
xiv. IPS:Intrusion Prevention System
xv. IOT:Internet of Things
xvi. MAP: Mobile Application Part
xvii. MSC: Mobile Switching Centre
xviii. NAS: Network Access Server
xix. NAI:Network Access Identifier
xx. MSISDN: Mobile Station International Subscriber Directory Number
xxi. MSU: Message Signalling Unit
xxii. MSISDN: Mobile Subscriber ISDN
xxiii. PSTN: Public switched telephone network
xxiv. P2P: Peer to Peer
xxv. PAP: Password Authentication Protocol
xxvi. RAN:Radio Access Network
xxvii. SMS Short Message Service
xxviii. SMS-C SMS Centre
xxix. SS7 Signalling System No. 7
xxx. STP Signalling Transfer Point
xxxi. SCCP Signalling Connection Control Part
xxxii. SCTP: Stream Control Transmission Protocol
xxxiii. SCP: Service Control Point
xxxiv. STP:Signal Transfer Point
xxxv. SCRC: SCCP Routing Control
xxxvi. SIGTRAN Signalling Transport
xxxvii. TCAP Transaction Capabilities Application Part
xxxviii. TLS: Transport Layer Security
xxxix. VPLMN Visited PLMN
xl. VLR Visitor Location Register
xli. VPLMN: Visited Public Land Mobile Network.
xlii. UMTS: Universal Mobile Telecommunications System (3G)
18 | P a g e
9.REFRENCES:
[i] SANS Institute - The Fall of SS7 How Can the Critical Security
Controls Help? Paper
[ii] SS7: Locate, Track & Manipulate: https://www.youtube.com/watch?v=lQ0I5tl0YLY
[iii] SS7 Map.(P1 Security)- http://ss7map.p1sec.com/
[iv] IMSI Catcher. [pdf document]
[v] http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/slides_imsi_cat
cher.pdf
[vi] v4_Sid Master Thesis- on SS7 Security
[vii] IR.7031-GSMA Paper on SS7 Fraud
[viii] http://securityaffairs.co/wordpress/31598/intelligence/ss7-attacks-ukraine.html
