Navigating the Future: The Imperative of Adaptive Security for Mobile Network Operators

Earlier this year, a group of investigative journalists published an astonishing article revealing how one telecom expert gone rogue supplies access to the signaling network to anyone willing to pay for it. The journalists show how governments and companies use his services to access mobile signaling networks, intercept messages and calls, and locate persons of interest, which in one described case had fatal consequences for the victim.

This came as no surprise to us working with signaling security, as the vulnerabilities in signaling networks and the objectives for which they are exploited are well known. The article paints a picture of users of this hacker’s services as well-organized clients, often security companies, in turn selling services to companies and nation-sponsored organizations.

Attacks on the signaling network are done for many reasons. It can be to locate a subscriber, intercept communication to eavesdrop or redirect it, steal information about the network itself, commit fraud for financial gain, disturb the network operations through denial-of-service attacks, or trick subscribers into giving away valuable or classified information such as passwords.

Banks, for example, are seeing increased spoofing attacks against their customers who get tricked into believing it is their bank calling (caller ID spoofing fraud). Even if banks fight this with information on how to act as a bank customer, some will always fall for the trick, paving the way for fraudsters to access their accounts and steal their savings. This is a big menace for banks and their customers, and the situation is the same for many other sectors. For the mobile network operator, it results in a loss of trust and brand equity if not controlled, and ultimately, subscribers will churn.

Signaling attacks can also threaten national security. Telecommunication networks are critical infrastructure essential for a functioning society. This has been made very evident in the war in Ukraine, where mobile communications not only helped to hold the community together but also gave Ukraine the upper hand in the information war as they could show images and videos from their success on the battlefield in the early days of the invasion, helping its allies understand that Ukraine could win the war, provided they received sufficient aid.

Mobile network operators have an essential role to play in securing their networks for the future. Still, there is also a national interest in ensuring resilience for mobile networks and protecting mobile subscribers, driven by regulators and fueled by companies and interest groups. Operators are under increased scrutiny by regulators to secure their networks against signaling attacks.

From Trust to Zero-trust in Signaling

SS7 is the most used signaling protocol and is notorious for its vulnerabilities. It originated in the 1970s when trust between operators was not an issue and access for outside parties was non-existent. One might think the solution is to modernize networks by implementing protocols with better security designs. As it turns out, newer protocols such as Diameter have not solved the security issues. It, too, can be exploited, typically by utilizing the lack of end-to-end security when routed through several hops.

Even if modernization of the signaling systems would provide secure protocols and architectures, the legacy will overturn the win. In a recent report, GSMA states that ”most operators worldwide will continue to maintain 2G and 3G networks for the foreseeable future”. SS7 and its vulnerabilities will remain in our mobile networks for a long time, alongside Diameter and GTP-C with their respective vulnerabilities. Not even 5G, touted for its security improvements, will be able to change this as the complexity of roaming evolved from previous network generations will put an effectual stop to it. Besides, 5G stand-alone is still lingering, placing 5G non-stand-alone using Diameter as the signal bearer in most available 5G networks and in most 5G roaming setups.

There is no end in sight for signaling vulnerabilities, and threat actors continue to search for new vulnerabilities and ways to exploit old and new protocols to find the weakest link. This link is often a complex combination of different protocols and methods.

That does not mean there cannot be security in signaling networks. GSMA provides recommendations to operators on how to protect the signaling network, which is like a blueprint for a signaling firewall. Some parts of these recommendations (i.e., FS.11 cat 1 and cat 2) are somewhat like a checklist; once these recommendations are covered by protection, very little will change. Other recommendations (i.e., cat 3) have never been intended as a foundation for static protection but rather for a continuous review and update of the security. This is because they cover signaling traffic that needs intelligence to determine whether it is malicious. It is traffic that cannot be determined to be legitimate or not based solely on the type of packet, its origin, or its destination. For these packets, the context must be understood for accurate detection and blocking, for example, by knowing the sender. This knowledge comes from threat intelligence.

GSMA’s recommendations do not cover all malicious traffic. Some traffic that should be blocked will pass firewalls that only provide strict compliance with the recommendations. Going beyond the recommendations, focusing on capabilities rather than compliance, is needed to stay ahead of attackers. One example is the ability to do cross-protocol correlation in real time. When an attack utilizes several protocols, the signaling could seem legitimate on each bearer, but a pattern revealing an attack could emerge when adding them together.

In a threat landscape where the attackers never rest, signaling security must be adaptable to ensure the accuracy to protect against new and evolving threats. However, adaptability is only valuable if there are insights on what to adapt to. Again, the insights come from threat intelligence.

Actionable threat intelligence that can be fed into a signaling firewall to keep its accuracy high over time requires a global footprint of networks to collect intelligence from. It also requires signaling threat intelligence experts who can analyze the data. This is not always a resource operators have in-house or can acquire.

Towards a More Secure Future

In a world where trust is becoming scarce and attack vectors a commodity, mobile network operators are under near-constant attack. Amidst the pressure to protect networks and comply with an evolving regulatory landscape, security solutions offering accuracy and adaptability are indispensable. Yet, with an arsenal of security solutions rewarding capability before compliance at their disposal, mobile network operators are well-poised to navigate the waters of the modern signaling threat landscape, ensuring the security and reliability of mobile networks.