For anyone who has written blogs, you will know that one of the most challenging issues is writing the blog’s title. Whilst we all want a catchy title, it must be relevant. Those two requirements don’t necessarily go hand in hand! I hope my mention of the Princess of Pop is somewhat relevant and ticks both of those boxes. I think I had better let you be the judge of that…
Earlier this month, Haaretz, a leading Israeli newspaper, published a story about an Israeli mobile operator that had fallen victim to a major signaling attack affecting dozens of their VIP customers. This is one of the most detailed newspaper articles that I have read about the vulnerabilities of inter-operator signaling and, critically, how operators have reacted to these vulnerabilities.
As I started to read the article I felt a sense of déjà vu. Just the mention of Israel reminded me of some early findings we made in 2014, where we saw fake locations updates between the British Isles and Israel. However, it was the combined mention of Telegram and, later on, verification by SMS i.e. one time password over SMS that caught my eye. Weren’t Israelis the victim of a similar hack I had read about? It took me all of 30 seconds to locate the previous stories addressing these very points. The first “Mystery Russian Telegram Hacks Intercept Secret Codes To Spy On Messages” was published by Forbes in December 2019 – less than a year ago. The second should have been closer to home for the victim network since it related to takeover attacks against Israeli users of Whatsapp. The story was published in October 2018 and confirmed that voicemails containing spoken PINs were compromised - albeit it is unclear whether this was a simple attack using compromised credentials or a more sophisticated case of signaling manipulation.
Anyway, back to this blog’s title. At this point, Britney’s magnum opus, “Oops!...I Did It Again”, came to mind. Fan or not, in my case not, it is an incredibly catchy tune and got me thinking about why we humans have a tendency to repeat past mistakes and not learn from the mistakes of others. Sure that isn’t always how things are, but it is pretty common, and especially so in the world of telecoms security.
I spend a lot of my time working with carriers around the world. Some of them have approached us to learn more about signaling security issues, others are issuing tenders and some of them are operators we have proactively reached out to. In the last category there is a mix of reactions and, without doubt, there is a small proportion that are in “denial mode”. Whilst we share detailed evidence of what is happening, the GSMA recommendations and news articles like the ones detailed above, operators in denial will still say that they aren’t affected, they don’t see attacks and their customers don’t complain i.e. they can’t be victims.
The reality is that operators around the world are being attacked every day of the year. So far, we are yet to find a network anywhere in the world that is not being attacked through signaling abuse. Zero exception to that. The only reasonable interpretation is that proper defence mechanisms are required. Of course, within Mobileum we will recommend our market-leading signaling firewall. Whatever the case, your customers deserve better protection, preferably the best that there is. And this brings me back to the unfortunate network that fell victim to the Telegram attack detailed above. What are the lessons we can learn from this?
The article has some troubling details that are worth mentioning. I recognise these comments may not reflect accurately the events that took place which is why I am not naming the operator. However, each of the points below is worth considering, if only for the sake of education:
- [The operator] “replied to our queries with ‘what does it have to do with us?’ ‘We don’t have a data security team,’ and ‘we have sales or customer service.’ One representative even suggested I join their anti-virus service”
- “a few days later they cut off all communication… with their hacked clients, and didn’t answer their queries.”
- [operator said] “Do you think this happened only with this network? “It is possible other cellular networks have better defenses. Maybe [operator] doesn't have a firewall,”
- In response to the report, [operator] said: “There is no connection between this incident and [operator]. Incidents like these can take place - especially during the coronavirus - to clients of other firms as well.”
Each of these is worth addressing so here are some suggestions in reaction to those extracts:
- Denial of an issue is never a response. If you don’t know what happened, how it happened and the impact, then simply state you are investigating. It takes time to analyse these situations but in the end you will get there.
- Don’t use your own network security issues as an opportunity to sell value-added security services to the victims.
- Maintain communication with customers. Even if you don’t have immediate updates for them, you owe your customers basic updates. They may be victims of crime and deserve to be treated as such.
- Don’t assume what has happened to your network has happened to others. Maybe your competitors have not strengthened their defences. However, the reality is that one of them will have done so and they will be proud to announce that fact e.g. here. I promise you, you want to be the network proudly announcing that you have protected your customers rather than the one that states you are investigating what has happened.
- Finally, whilst we all understandably talk about COVID-19 all of the time, there is a limit to what can be blamed on the global pandemic! Signaling security vulnerabilities that were known about over 5 years ago are definitely not one of those!
I’m afraid to say that not only are the weaknesses in security well known, but we in Mobileum have been warning about them for several years. Two years ago we published a ground-breaking white paper entitled “Trust – the operator’s essential currency”. The paper remains as relevant today as when published, and I encourage you to read it. On the very failing of the agent noted above, we found the following:
“service agents only demonstrated basic familiarity with on-device security add-ons such as antivirus and malware protection and almost no expertise in network security.
I will conclude this blog with some inspirational quotes from the Princess of Pop.
“Oops, I did it again” – let’s avoid repeating the mistakes of the past. Vendors like Mobileum are here to help you protect your customers and your network.
“But it doesn't mean that I'm serious” – the hackers will quickly spot this and take advantage if this is the case – you really do need to be serious about protecting your customers and your network.
“You see my problem is this I'm dreaming away” – now is the time to take action rather than dreaming about what could be done!