Rowland Corr, VP of Government Relations at Enea, was recently invited to the European Parliament as an expert on telecom signaling security to talk about how access to telecom networks can be exploited for surveillance purposes. We met up with Rowland to find out more.
You recently had the chance to address the European Parliament. Tell us why you were there!
I was invited to intervene as an expert in a public hearing held by the PEGA Committee of Inquiry, which is investigating the reported misuse of surveillance spyware in the EU. Now one year into its work, the Committee’s invitation to Enea appears to follow the realization among its members that the problem of intrusive surveillance involves much more than spyware, as recently expressed by Committee Rapporteur Sophie in ’t Veld.
Telecommunication networks are not new in the EU, so why the sudden political interest in protecting them?
I think the immediacy of the issue at this time stems from a growing understanding of the gaps within and between critical infrastructure protection and cybersecurity frameworks that allow privacy, confidentiality, and digital sovereignty to ‘slip between the cracks’ of our collective resilience. There has been recent recognition of such gaps in respect of the cybersecurity of products with digital elements, for example, which has prompted a proposal for an EU Cyber Resilience Act. However, mobile signaling security continues to represent a systemic blind spot and a sizable gap in EU cyber resilience.
Questions over the use and misuse of spyware have received a lot of attention in Europe and indeed elsewhere in recent times, as reflected, for example, in a new Executive Order by U.S. president Biden prohibiting the federal government’s use of certain commercial spyware products. However, the question of signaling-enabled surveillance has barely been addressed at a political level in Europe until now. Our intervention in this hearing shows recognition of mobile signaling as an important part of the overall threat and signaling security as a key component in addressing the gaps.
Why did the committee invite you to present as an expert?
I think Enea’s competence to contribute to the European Parliament’s work in this area can be gauged from being recognized as an industry leader with strong legitimacy in terms of expertise in this area. We have published a lot of research based on real-world data, such as our series of papers on the Russian invasion of Ukraine; detection of threat actors such as HiddenArt; and discovery of previously unknown vulnerabilities such as Simjacker.
Our contribution to the development of industry security guidelines is also a matter of public record, as it were. Our CTO Cathal Mc Daid was a principal author of FS.11, for example, which continues to serve as an important touchstone for mobile interconnect security today.
What did you call the committee members’ attention to in your speech?
I spoke about the surveillance risk beyond the misuse of spyware that is posed to EU countries by the manipulation of the mobile interconnect environment. Specifically, I talked about the potential for EU telecoms infrastructure and resources to be used by threat actors for the surveillance of targets in many regions globally as well as within the EU.
To illustrate the governance gaps involved, I first highlighted the role played by commercial leasing agreements through which 3rd country threat actors can obtain the effective use of EU telecoms resources, often exploited in conjunction with access gained in other regions.
I also pointed out that although the basic fact of certain technical vulnerabilities characteristic of signaling systems has been known for some time, the nature of the threat landscape, the ecosystem involved, and the calibre of attackers are far from well understood today.
Now almost ten years on from Karsten Nohl’s very public demonstration of how signaling vulnerabilities can be exploited for surveillance, it is no longer really a question of recognition but rather of resourcing of measures for mitigation.
This is why I stressed the importance for operators, regulators, cyber agencies, and other stakeholders to approach the problem not merely as a question of compliance but as a question of capability to detect and mitigate signaling threats.
While the public hearing was not a forum for technical discussion, it was important for MEPs to understand that beyond the risk of spyware, the very mobile services trusted by EU subscribers, be they public officials or private citizens, might be weaponized with impunity by threat actors.
What is the issue with telecom networks, why are they so vulnerable?
One overarching issue is that from the very first days of mobile interconnection, security was given comparatively little consideration as mobile technology and services advanced. Indeed, a persistent flaw of the signaling interconnection model, originally developed in the form of SS7 in the mid-1970s, was its assumed trusted access. Today, however, the issue is not so much that inherently insecure protocols persist in use but that they remain unprotected. The specific protocols involved are less important than the nature of interconnection as an attack surface. After all, attackers don’t care about protocols – they care about penetrating networks.
The problem is compounded by the combined effect of persistent gaps in regulatory frameworks, ease of access to signaling systems, and lack, historically speaking, of commercial incentive for operators to resource the requisite security measures.
Who is behind these attacks?
Multiple entities can be involved in any single instance, but ultimately behind all such attacks is a state-level threat actor. This kind of targeting is not in the realm of ‘script-kiddies.’
Key non-state actors involved include cyber-surveillance providers in the form of private companies, which are contracted to conduct targeting activities by nation-state entities. This is not a matter of speculation – indeed, such providers quite openly advertise their services. They, in turn, will usually have leased access to resources from Mobile Network Operators (MNOs). Of course, that part is not advertised, but it is central to this cyber surveillance business model. The most advanced threat groups, which we defend our customers’ subscribers against on an ongoing basis, are able to mobilize resources gained in this way as attack infrastructure spans dozens of countries worldwide.
It is important to stress that so many possible degrees of separation also means that the mobile operator whose resources are ultimately exploited in this way may be unaware of the misuse, but this, too, is part of the systemic problem to be addressed, as I pointed out to the Committee.
How big would you say the telecom network surveillance problem is?
Using telecom networks for surveillance is not only a hypothetical possibility, but a reality all too common. Based on our intelligence, we estimate that over half of all EU member countries are exposed in this way to the potential illicit use of signaling resources for unauthorized intrusions. Globally, we estimate that over 90% of all operator networks are subject to attempted intrusions by attackers probing for vulnerabilities, sometimes even in a single instance of activity by a single threat actor.
Such activity is mass in scale, but it would be a mistake to consider it indiscriminate. These are deliberate reconnaissance efforts, and through them, attackers gain important intelligence about the individual levels of protection in operator networks worldwide.
What are your recommendations for operators and regulators moving forward?
As I mentioned in my address, ultimately, different countries will be exposed to varying levels of risk. For some, at any given point in time, the risk could be low. What is vital is that stakeholders should be able to determine their countries’ level of exposure over time and respond where required – ideally proactively.
Being proactive begins with understanding what is going on in the networks. The foundation of mitigation is threat discovery. To this end, operators should strive to implement as many GSMA recommendations on interconnect security as possible. At the same time, they should not rely on any static measure of compliance as a guarantee to safeguard their networks and their subscribers.
Another gap that I feel is important to point out here is that of victim notification. All stakeholders, regulators, operators, and national cybersecurity authorities must consider it, especially given the importance of privacy rights in so many other legislative contexts. Since one of the consequences of this systemic gap in governance is that, even where threat activity can be discovered, no one informs the victims that their personal data was accessed illegally and, indeed, exfiltrated from the subscriber’s network.
What were the reactions from the committee members?
The Committee was very much engaged with what we had to say. Several Members expressed alarm at the insight that so many networks might be exposed to illicit access, the possible scale of unauthorized intrusions, and the potential threat presented to EU citizens.
Hopefully, the efforts of the Committee will prompt meaningful action toward mitigating this strategic risk.
Discover more about how mobile networks are weaponized for surveillance and other attacks in our white paper on mobile network-enabled attacks warfare in Hybrid .