The Community for Technology Leaders
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Francisco, CA, US
May 21, 2018 to May 23, 2018
ISSN: 2375-1207
ISBN: 978-1-5386-4353-2
pp: 86-101
Christian Peeters , University of Florida
Hadi Abdullah , University of Florida
Nolen Scaife , University of Florida
Jasmine Bowers , University of Florida
Patrick Traynor , University of Florida
Bradley Reaves , North Carolina State University
Kevin Butler , University of Florida
The global telephone network is relied upon by billions every day. Central to its operation is the Signaling System 7 (SS7) protocol, which is used for setting up calls, managing mobility, and facilitating many other network services. This protocol was originally built on the assumption that only a small number of trusted parties would be able to directly communicate with its core infrastructure. As a result, SS7 \emph{ --- as a feature --- } allows all parties with core access to redirect and intercept calls for any subscriber anywhere in the world. Unfortunately, increased interconnectivity with the SS7 network has led to a growing number of illicit call redirection attacks. We address such attacks with Sonar, a system that detects the presence of SS7 redirection attacks by securely measuring call audio round-trip times between telephony devices. This approach works because redirection attacks force calls to travel longer physical distances than usual, thereby creating longer end-to-end delay. We design and implement a distance bounding-inspired protocol that allows us to securely characterize the round-trip time between the two endpoints. We then use custom hardware deployed in 10 locations across the United States and a redirection testbed to characterize how distance affects round trip time in phone networks. We develop a model using this testbed and show Sonar is able to detect 70.9\% of redirected calls between call endpoints of varying attacker proximity (300--7100 miles) with low false positive rates (0.3\%). Finally, we ethically perform actual SS7 redirection attacks on our own devices with the help of an industry partner to demonstrate that Sonar detects 100\% of such redirections in a real network ({\em with no false positives}). As such, we demonstrate that telephone users can reliably detect SS7 redirection attacks and protect the integrity of their calls.
telephone-security, distance-bounding, SS7

C. Peeters et al., "Sonar: Detecting SS7 Redirection Attacks With Audio-Based Distance Bounding," 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, , pp. 86-101.
(Ver 3.3 (11022016))