5g signaling networks: omblrast f the past...environment, ss7 is no longer isolated. both legitimate...
TRANSCRIPT
5G signaling networks: blast from the past Why do old vulnerabilities still impact 5G security?
positive-tech.com
Introduction
Each generation of mobile networks
must interoperate with previous ones. As a result, newer generations tend to inherit the weaknesses of their predecessors
Mobile technologies have become part of everyday life, making them an increasingly
appealing target for criminals. Some of these threats are quite well known: security re-
searchers have long been discussing vulnerabilities in 2G and 3G networks. Traditional
two-factor authentication by SMS is no longer recommended for securing critical ser-
vices. However, additional threats are coming to the forefront. The main consumers of
communication services are no longer people, but Internet of Things devices. IoT
adoption has taken off following the deployment of 5G networks in a number of coun-
tries. The security of the IoT depends on how well mobile technologies are protected.
of LTE networks remain vulnerable to denial-of-service attacks, and 5G relies heavily on LTE2 100%
Each generation of mobile networks must interoperate with previous ones. As a result,
newer generations tend to inherit the weaknesses of their predecessors. 5G relies on
4G networks, and 4G itself performs some functions via 2G/3G. Here we will consider
the security threats to different generations of mobile networks. Our analysis is based
on security testing of SS7, Diameter, and GTP networks.
Internet of Things connections growth1
2018 Total connections 2025
9.1 bn 25.2 bn
2
messages can be intercepted, despite 41% of networks have filtering and blocking mechanisms in place2OF 10
9 OUT
SS7 is a system for exchanging signaling messages used in 2G
and 3G networks. The Signaling System 7 standard was devel-
oped at a time when only fixed-line operators had access to
the network. Security was an afterthought. But in the current
environment, SS7 is no longer isolated. Both legitimate oper-
ators and attackers can gain access to it. SS7 has architectural
flaws that allow executing a whole range of attacks,3 includ-
ing eavesdropping, SMS interception, and fraud.
4G networks use the Diameter signaling protocol, which also
contains security flaws. In fact, vulnerabilities in the Diameter
protocol allow hackers to conduct almost the same range of
attacks4 on subscribers and mobile operators as were possible
on previous-generation networks.
The GTP protocol is used to transmit user and control traffic on
2G, 3G, and 4G networks. Like other protocols, GTP has flaws5
that can enable interception of user data, fraud, and denial of
service.
In this paper, we will discuss the frequently asked questions to
explain why vulnerabilities of previous-generation networks still
matter for security of nascent 5G networks. Read on to learn
about hacker attacks that are possible in 5G and what opera-
tors can do to protect themselves.
1 gsmaintelligence.com/research/?file=b9a6e6202ee1d5f787cfebb95d3639c5&download
2 According to our 2019 security research. The full report will be released in 2020
3 positive-tech.com/research/ss7-vulnerability-2018/
4 positive-tech.com/research/diameter-2018/
5 positive-tech.com/research/epc-research/
of networks attackers can bypass billing systems and use mobile communications for free2In 92%
3
5G signaling networks
Questions and answers
Why do vulnerabilities in SS7 still matter if newer protocols have been released?
While newer protocols exist, security is only as strong as the weakest link. Attackers
can still make use of any vulnerabilities in SS7 because operators continue to imple-
ment the older GSM (2G) and UMTS (3G) standards. Even LTE-only networks using
the Diameter protocol instead of SS7 must interconnect with previous-generation net-
works. So in practice, these networks, too, are vulnerable to some SS7 attacks.
Will the current protocols remain relevant in years ahead?
SS7 shows no signs of riding off into the sunset any time soon. According to GSMA es-
timates,1 the user base of 4G/5G subscribers is only starting to approach that of 2G/3G
users. The number of 3G users is unlikely to decline significantly until at least 2025. But
even at that time SS7 networks will continue to be relevant, since 2G/3G users are pro-
jected to account for a quarter of all subscribers (not counting IoT devices).
Technology mix*
3G
2G
4G
5G
29%
28% 60%
2018
20%15% 5%43%
2025
*% of mobile connections excluding cellular IoT
As for the Diameter protocol, it will remain pertinent for even longer. The percentage
of 4G users will rise until at least 2024. What's more, 5G networks currently have the
non-standalone architecture, in which 5G is built on top of 4G infrastructure.
Security issues with the GTP protocols used in 2G, 3G, and 4G networks will not fully
disappear even with the transition to 5G Standalone. According to specifications still
under development, 5G Standalone will retain GTP, albeit just for transferring user data
(via the GTP-U protocol).
4
How can vulnerabilities in SS7 and Diameter affect 5G and the IoT?
We have already discussed6 potential security issues in
5G networks. Even though the specification developers
took into account the security flaws of previous gener-
ations of mobile networks, new technologies come with
new risks. With 5G, operators will have to grapple with
virtualization, more complex administration, and use
of standard internet protocols with which hackers are
already familiar. At the same time, 5G networks are in-
separably linked to their predecessors.
Today's 5G networks have the non-standalone architec-
ture. They rely on a 4G LTE core network (EPC). This allows
improving the bandwidth and latency of user data with a
5G base station connected to existing 4G infrastructure.
During the transition stage, devices will connect to 5G fre-
quencies for data transmission, but will still rely on 4G and
even 2G/3G networks for voice calls and SMS messaging.
Because of this, all the security concerns of previous gen-
erations will remain relevant for 5G networks.
NR LTE
Control plane
User plane
EPC
Use of 4G infrastructure in 5G networks7
6 positive-tech.com/research/5g-security-issues/
7 gsma.com/futurenetworks/wp-content/uploads/2018/04/Road-to-
5G-Introduction-and-Migration_FINAL.pdf
5
5G signaling networks
8 vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
9 enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g
5G networks interwork with other mobile networks. Therefore, hack-
ers can perform cross-protocol attacks by exploiting vulnerabilities in
multiple protocols as part of a single attack. For example, an attack on a
5G network can begin with exploitation of vulnerabilities in 3G to obtain
subscriber identifiers. That is why protecting previous generations of net-
works is essential for 5G security.
Without securing the underlying telecommunication technologies,
smart IoT systems cannot be kept safe. The biggest security threat to
IoT devices is denial of service. The results of our real-world testing are
alarming: across all networks, whether 2G, 3G, 4G, or even 5G, attackers
can deprive subscribers of service. Smart home components or industrial
equipment could be made unavailable at a critical moment. As 5G mobile
technologies and IoT devices evolve, so does the threat landscape. Now
even connected cars or smart city systems could be targeted by hackers.
Have these vulnerabilities actually been exploited in the wild?
In early 2019, clients of Metro Bank in the United Kingdom fell victim to an
SS7 attack:8 hackers exploited flaws in the signaling protocol to intercept
SMS messages used for two-factor authentication. This is not such first
case. In one incident involving a German mobile operator, attackers man-
aged to steal money from subscribers' bank accounts.
Not all incidents are made public. And not all operators even have the
necessary technology to identify illegitimate activity. Threat analysis by
PT Telecom Attack Discovery proves that mobile network attacks are not
just isolated incidents or theoretical oddities, but a daily reality that mo-
bile operators are facing now.
According to ENISA, more than
80% of the telecom providers
have declared having security incidents 9
attack attempts hit a mobile operator on average per day, according to data gathered from PT Telecom Attack Discovery live installations23,000+
6
Who can fall victim?
Any person using mobile technologies is at risk. The threat
goes beyond eavesdropping on subscriber conversations
(although this can pose a real threat to politicians). It goes
beyond hacking online banks by intercepting codes from
SMS messages. People increasingly rely on IoT devices,
which themselves rely on a robust Internet connection.
But if this connection is not properly secured, such reli-
ance may backfire in a major way.
Mobile operators are also at risk, bearing financial losses
if targeted by fraudsters (who can bypass billing systems)
or if abandoned by subscribers (who have money sto-
len due to operator insecurity or whose IoT devices stop
working due to denial of service).
Depending on local legislation, mobile operators may
also be subject to fines. Many jurisdictions have adopted
laws on data protection, such as the GDPR in the EU and
LGPD in Brazil, allowing regulators to impose fines in case
of a data breach.
Any person using mobile
technologies, connected
IoT device, or mobile
operator itself can fall victim to a hacker attack
7
5G signaling networks
Securing MNO networks requires a thorough under-
standing of the problems and systematic approach to
solving them.
As a start, operators should follow GSMA security
guidelines. According to ENISA estimates, only 30 per-
cent of operators in the EU have implemented them.
(In developing countries, fewer than 0.5 percent have
done so.) It is crucial that operators adapt these guide-
lines intelligently based on real conditions on their net-
works, and then follow through to make sure that secu-
rity is working as intended.
Security testing determines the effectiveness of exist-
ing measures, highlights vulnerabilities and risks, and
offers a wealth of data for making improvements. If
performed periodically, testing allows catching prob-
lems in time. Security settings must also be kept up to
date, with verification both periodically and each time
that network equipment is added or reconfigured.
Signaling traffic must be monitored and analyzed as
it crosses the network border. This identifies potential
threats and configuration errors. Such monitoring is
encouraged by GSMA guidelines. To implement this,
operators employ special threat detection systems
that can analyze signal traffic in real time and detect
illegitimate activity by external hosts. These solutions
block illegitimate messages without impacting net-
work performance or subscriber availability. They can
also relay information to other protection systems for
maximum effectiveness.
Recommendations
8
Vulnerability management process
Detect
Audit
Pro
tec
t
Detect. Non-stop real-time threat detec-
tion is essential for verifying the effective-
ness of network security and supporting
rapid detection and mitigation.
Protect. Completely secure your network
by addressing both generic vulnerabilities
(GSMA) and the threats that actually affect
you as part of an ongoing process.
Audit. Auditing provides essential visibility
to fully understand your ever-changing
network risks.
Security must be a priority during the design stage.
This is more true now than ever before, as operators
begin to tackle construction of new 5G networks.
Attempts to implement security as an afterthought
at later stages may cost much more: operators will
likely need to purchase additional equipment, at best.
At worst, operators may be stuck with long-term se-
curity vulnerabilities that cannot be fixed later.
9
5G signaling networks
About Positive Technologies
Positive Technologies is a global cybersecurity company. Its flagship Telecom Cybersecurity Suite enables network operators to drive business performance while protecting their subscribers and services. By providing greater visibility into infrastructure vulnerabilities and securing customer services, Positive Technologies helps to strengthen loyalty, drive revenue with value-added security offerings, and protect emerging telecom technologies such as 5G and the IoT.
[email protected] PT AG-5G signaling networks_A4.ENG.0006.06