May 11th 2018
This article first appeared in Vanilla Plus https://www.vanillaplus.com/2018/05/09/38107-time-address-mobile-signaling-threats/
Vulnerabilities around the SS7 mobile data network and Diameter have been a nagging and costly problem within the telecoms industry for years, writes Gary Miller, the vice president of Global Solutions at Mobileum.
In some ways it’s very much the elephant in the room that’s been hiding in plain sight, but it can’t be ignored by operators for much longer. The next headline grabbing attack has the potential to permanently damage reputations and hurt unsuspecting customers, while the long-term financial and legal ramifications for operators could be devastating. All it will take is a single attack on a high profile target to light the powder keg.
Researchers first shed light on the problem in 2014, showing how SS7 weaknesses can be used to track people and intercept their communications. Things haven’t improved much since, with hackers exploiting this blind spot last year by draining the bank accounts of unaware O2-Telefónica customers in Germany to the tune of US$200,000. The hackers were lightning fast, and knew that by targeting users on one network, they’d effectively be able to do what they pleased with the accounts.
The O2-Telefónica attacks should have been a wake-up call for the industry. However, more than a year later, not nearly enough action has been taken. The reality is that signaling security standards still aren’t where they need to be, turning network security into a high stakes game where operators are fighting to beat the next generation of hackers looking to expose this and all other potential flaws. Worryingly, network threats are becoming so much faster and more sophisticated, that a US$200,000 fraud will soon seem like pennies if things don’t change. Under the umbrella of signaling security, the threats aren’t limited to SS7 alone. Diameter has become the emerging attack vector, and data-centric attacks utilising the GTP protocol are coming to the surface.
Some policy makers have been taking note. In the US, California Congressman Ted Liu has been a vocal proponent of having carriers address the problems around SS7. He was previously – with his consent – hacked as part of a demonstration of SS7’s many flaws for a feature on CBS News. In addition, Senator Ron Wyden of Oregon has issued formal letters to the US National Security Agency (NSA) and to US mobile operators regarding the US Department of Homeland Security 2017 report on cybersecurity threats related to mobile phones and cellular networks. Beyond the US, in the UK the National Cyber Security Centre (NCSC) has issued calls for increased protection of UK mobile operator networks. Public efforts like this and others are bringing to light the notion that SS7 and other threats can affect us all at any time. It’s not just an operator problem.
Clearly this needs to be addressed, but it also raises an important question; where does the blame and responsibility ultimately lie in the event of a hack? Fundamentally, it is obvious to argue that the hacker(s) is to blame. But how and why were they able to hack in the first place? Why was there no protection? How were they able to do so, so easily? And how responsible are operators in terms of preventing such attacks? Not addressing core security issues will only lead to more complex questions down the road for operators. Questions that don’t have easy answers, and ultimately leave the entire industry open to scrutiny.
So how can operators halt the cycle and address the root causes of security vulnerabilities? It should start with a new mindset. Operators will need to adopt a proactive, rather than reactive, approach to dealing with known and unknown threats within their networks. But admittedly that’s a lot harder than it sounds given the sheer amount of data going over networks today.
Between the prevalence of streaming video services, the rise of IoT, and the steady increase in smartphone data usage, networks are showing signs of stress. Nowhere is this more prevalent than in the activities of security monitoring and management, where it is becoming near impossible for traditional security processes to scale.
Looking back at the O2-Telefónica hack, an effective SS7 firewall would have provided an additional layer of security. But protection is only as good as the threats you are detecting. Looking forward, operators will also need to lean on the latest advances in analytics and AI to view emerging and advanced threats in a proactive way to stay ahead of attackers and secure their networks.
Threat intelligence feeds, visibility and monitoring, and deep learning algorithms all play critical roles in stamping out threats before they even start. Machine-learning-based analytics platforms can provide real-time analysis of the massive amounts of data that operators deal in, view threats beyond their network, provide forensic tools and help them make sense of it all.
All of this provides operators with a blanket of security that SS7, Diameter, GTP and other threats are being monitored for and protected against in real-time. But even more importantly, it empowers operators to take on the elephant in the room once and for all, and level the playing field.