Advice note: this is a non-technical article aimed at those involved in the international roaming business that will need to address forthcoming security issues in 5G roaming
Security professionals realise that one of their greatest challenges is securing their organisations in a manner that allows the business to operate efficiently. It is usually necessary to strike a balance between the desired level of security and the need for the business to have efficient operations. The paradox of security and ease of use is illustrated by the daft choices that most users make for passwords.
Most people understand that passwords need to be complex, hard to guess and unique for each website. Despite this, huge numbers of people continue to select simple passwords that are easy to remember (and crack). Even worse, they reuse them over multiple websites. Perhaps it passed you by, but apparently the first Thursday of each May is “World Password Day”! I confess I did not celebrate by reviewing all of my password choices. A variety of articles   were published giving tips for securing passwords. However, the Wikipedia page dedicated to the most used passwords pointed me to SplashData’s annual worst password list which confirms this remains a major issue. So let’s consider the top 5:
1 - 123456 (rank unchanged from 2018)
2 - 123456789 (up 1)
3 - qwerty (Up 6)
4 - password (Down 2)
5 - 1234567 (Up 2)
These are so banal that I won’t even pass comment! Whilst the paradox of security and operational efficiency is clear, how does this relate to 5G and international roaming?
Let’s start with the undisputed good news. 5G has been designed from the ground up with security in mind. For those of you with long memories, you may recall the days of phone scanners being used to listen to the unencrypted conversations of users – particularly the British royal family. The GSM standard was the second generation of mobile communication technology, using digital technology to deliver encryption over the radio network. It fixed that particular problem but traffic crossing the core network remained totally unprotected.
It has taken until the 5th generation of mobile networks to deliver end to end signalling security between roaming and interconnect partners. The platform responsible for this is the SEPP – Security Edge Protection Proxy. Finally the core network is protected with end to end security by design rather than as an after thought. This is long overdue and a huge improvement but it is not a cure for the threats MNOs face (more about that below).
The SEPP has a number of roles which can be summarised as:
- Encrypting and decrypting signalling traffic leaving and entering the network
- Authenticating the SEPP originating incoming signalling
- Validating signalling timestamps to ensure that messages have not been replayed
- Ensuring any amendments to signalling are authorised and recorded as such
It is important to take note that whilst the SEPP is a huge improvement to security, it will only enable you to confirm that a message truly came from its purported originator, that it has not been subject to unauthorised manipulation and that is has not been replayed. It will not confirm that the message being processed is inherently good or safe! Sadly, the abuse of roaming signalling connectivity is commonplace - just consider SMS grey routes!
Nonetheless, the SEPP does bring improvements which merit consideration. Without going into the details of cryptography (which I am not qualified to do anyway!), it is critical to appreciate that key management is pivotal. Keys are used to encrypt and decrypt communication. Given the criticality of keys it is highly likely that the exchange of these keys will be done on a bilateral basis – anything centralised would simply be too risky. A single or limited number of locations holding multiple keys would become an enormous target for hackers globally! Yet that is being discussed within the GSMA’s Working Groups right now!
The problem is that whilst a bilateral approach is best practice it is also challenging. We are now in an era of winding down roaming resources as regulation and retail competition has impacted revenues and margins – i.e. there are less resources to do the BAU tasks of maintaining roaming relationships, commercials, launching new services and launching new partners.
This means testing 5G launches will be a challenge. Rollout launch testing may not be required in 5G non-standalone mode, since the core network technology is still 4G, global device testing can be assumed to be a significant effort. In 5G standalone mode, rollout launch testing will likely be required since it will use completely new signalling protocols. That means key exchange will form a logical part of any inter-operator testing set up.
It is possible that this may become a simple step that is part of bilateral testing preparation. However, if bilateral testing is not the norm or there is any concept of outsourced testing or using hubbing services then key exchange could be a significant challenge.
At this point I need to make clear that Mobileum is in an interesting and conflicted position on this aspect. We are the leader in inter-network security solutions and we are also the leader in roaming Value Added Services. Many of the leading IPXs and roaming hubs use our platforms to offer outsourced Value Added Services for roaming solutions. Meanwhile many of the world’s leading operators rely upon us for our signalling firewalls. We are genuinely committed to meeting all of our customers’ needs and requirements.
The reality is that the security and roaming domains are not necessarily totally aligned. The security manager wants to lock everything down as much as possible whilst the roaming manager wants everything to work easily and quickly - if short cuts are required so be it. Let’s face it, in the rush to launch the most competitive 5G roaming footprint, it is hard to see the Security team overruling the Marketing team!
So the conflict is back to the point I made earlier in this article – security vs operational efficiency.
From a security perspective this means maximum practicable security - I am confident that many operators will adopt that approach. However, I also recognise that for smaller networks there may be a desire to adopt less secure approaches for practical reasons. An example of this would be outsourcing the function of the SEPP to an IPX. Outside of operators that are members of a large corporate group with an in-house IPX, it is hard to envisage many Tier 1 operators outsourcing the SEPP to an IPX since this would mean providing the MNO’s private keys to the IPX and giving the IPX full visibility of their roaming traffic. However, many smaller operators will request this of their IPX despite these risks. As a leading stakeholder in securing our customer’s networks we can only suggest everyone approaches this option with caution and full consideration of the security implications.
IPXs claim they are secure so there is no risk in doing this – in fact I heard an IPX representative state in a GSMA meeting that “everyone knows that IPXs are secure”. Is that really true? Public information is scarce but we know from wikileaks that one leading IPX was compromised for many years. No doubt there are other examples that are not yet in the public domain.
The reality is if we look at other sectors, how many companies do you recall stating that their operations are insecure?! However, the list of companies that have had security failings is non-ending!!! Just reviewing the obviously incomplete Wikipedia page details 313 hacks and 12bn individual records being compromised since 2004. That is an incredibly large number. Looking at the list of breaches, I personally may have been impacted by 17 of them!!
As security specialists, we would question any company that publicly claims that they have total security. The key to managing security is to minimise the risk by design - the more points of entry, the greater the risk of compromise. We must assume that all organisations are potentially insecure. This means that any outsourcing of key management must increase the risk of compromise. However, let’s recognise the huge role that Value Added Service providers like Mobileum and IPX Providers add to the ecosystem.
- Many operators are simply too small to scale up and manage all aspects of roaming in-house. They must be free to outsource their own security management, albeit recognising that some of their roaming partners may choose not to roam with them if their own security standards are not met.
- It is critical that the SEPP not only supports the requirements of encryption, authentication and preventing playback etc but it must also be an operationally efficient tool. We therefore believe efficient key management must form a key part of its role. Could this enable outsourcing where efficient but allow insourcing where required to launch key roaming relationships?
- Operators must not make the mistake of assuming the SEPP means the end of their work to the secure their 5G networks. In fact, a SEPP without a multi-protocol signalling firewall still results in an exposed network and customers at risk from attacks such as denial of service, interception of calls and SMS and location tracking.
So with all of these challenges, is there a way to deliver end to end, MNO to MNO, security whilst also delivering outsourced Value Added roaming Services? An interesting compromise to this paradox has recently been suggested by some IPX vendors. Called the “hairpin”, traffic will arrive at the home MNO, be authenticated and decrypted and where required will be sent back to a outsourced solution provider (e.g. an IPX or hosted vendor solution) for provision of the value added service. Clearly latency and performance will be a challenge to overcome for those operators that adopt this approach, but this will preserve the end to end security, from MNO to MNO, where required. This will deliver the end to end security that some operators require as well as the ability to outsource roaming services for other operators.
On a final note, it is important to remind ourselves that the security that 5G will provide is actually limited. Until 5G in standalone mode is the only solution in town, and that will not be for at least 20-30 years, existing vulnerabilities will remain – spoofing, interception, denial of service, tracking etc.