5G signaling networks: blast from the past Why do old vulnerabilities still impact 5G security?

positive-tech.com

Introduction

Each generation of mobile networks

must interoperate with previous ones. As a result, newer generations tend to inherit the weaknesses of their predecessors

Mobile technologies have become part of everyday life, making them an increasingly

appealing target for criminals. Some of these threats are quite well known: security re-

searchers have long been discussing vulnerabilities in 2G and 3G networks. Traditional

two-factor authentication by SMS is no longer recommended for securing critical ser-

vices. However, additional threats are coming to the forefront. The main consumers of

communication services are no longer people, but Internet of Things devices. IoT

adoption has taken off following the deployment of 5G networks in a number of coun-

tries. The security of the IoT depends on how well mobile technologies are protected.

of LTE networks remain vulnerable to denial-of-service attacks, and 5G relies heavily on LTE2 100%

Each generation of mobile networks must interoperate with previous ones. As a result,

newer generations tend to inherit the weaknesses of their predecessors. 5G relies on

4G networks, and 4G itself performs some functions via 2G/3G. Here we will consider

the security threats to different generations of mobile networks. Our analysis is based

on security testing of SS7, Diameter, and GTP networks.

Internet of Things connections growth1

2018 Total connections 2025

9.1 bn 25.2 bn

2

messages can be intercepted, despite 41% of networks have filtering and blocking mechanisms in place2OF 10

9 OUT

SS7 is a system for exchanging signaling messages used in 2G

and 3G networks. The Signaling System 7 standard was devel-

oped at a time when only fixed-line operators had access to

the network. Security was an afterthought. But in the current

environment, SS7 is no longer isolated. Both legitimate oper-

ators and attackers can gain access to it. SS7 has architectural

flaws that allow executing a whole range of attacks,3 includ-

ing eavesdropping, SMS interception, and fraud.

4G networks use the Diameter signaling protocol, which also

contains security flaws. In fact, vulnerabilities in the Diameter

protocol allow hackers to conduct almost the same range of

attacks4 on subscribers and mobile operators as were possible

on previous-generation networks.

The GTP protocol is used to transmit user and control traffic on

2G, 3G, and 4G networks. Like other protocols, GTP has flaws5

that can enable interception of user data, fraud, and denial of

service.

In this paper, we will discuss the frequently asked questions to

explain why vulnerabilities of previous-generation networks still

matter for security of nascent 5G networks. Read on to learn

about hacker attacks that are possible in 5G and what opera-

tors can do to protect themselves.

1 gsmaintelligence.com/research/?file=b9a6e6202ee1d5f787cfebb95d3639c5&download

2 According to our 2019 security research. The full report will be released in 2020

3 positive-tech.com/research/ss7-vulnerability-2018/

4 positive-tech.com/research/diameter-2018/

5 positive-tech.com/research/epc-research/

of networks attackers can bypass billing systems and use mobile communications for free2In 92%

3

5G signaling networks

Questions and answers

Why do vulnerabilities in SS7 still matter if newer protocols have been released?

While newer protocols exist, security is only as strong as the weakest link. Attackers

can still make use of any vulnerabilities in SS7 because operators continue to imple-

ment the older GSM (2G) and UMTS (3G) standards. Even LTE-only networks using

the Diameter protocol instead of SS7 must interconnect with previous-generation net-

works. So in practice, these networks, too, are vulnerable to some SS7 attacks.

Will the current protocols remain relevant in years ahead?

SS7 shows no signs of riding off into the sunset any time soon. According to GSMA es-

timates,1 the user base of 4G/5G subscribers is only starting to approach that of 2G/3G

users. The number of 3G users is unlikely to decline significantly until at least 2025. But

even at that time SS7 networks will continue to be relevant, since 2G/3G users are pro-

jected to account for a quarter of all subscribers (not counting IoT devices).

Technology mix*

3G

2G

4G

5G

29%

28% 60%

2018

20%15% 5%43%

2025

*% of mobile connections excluding cellular IoT

As for the Diameter protocol, it will remain pertinent for even longer. The percentage

of 4G users will rise until at least 2024. What's more, 5G networks currently have the

non-standalone architecture, in which 5G is built on top of 4G infrastructure.

Security issues with the GTP protocols used in 2G, 3G, and 4G networks will not fully

disappear even with the transition to 5G Standalone. According to specifications still

under development, 5G Standalone will retain GTP, albeit just for transferring user data

(via the GTP-U protocol).

4

How can vulnerabilities in SS7 and Diameter affect 5G and the IoT?

We have already discussed6 potential security issues in

5G networks. Even though the specification developers

took into account the security flaws of previous gener-

ations of mobile networks, new technologies come with

new risks. With 5G, operators will have to grapple with

virtualization, more complex administration, and use

of standard internet protocols with which hackers are

already familiar. At the same time, 5G networks are in-

separably linked to their predecessors.

Today's 5G networks have the non-standalone architec-

ture. They rely on a 4G LTE core network (EPC). This allows

improving the bandwidth and latency of user data with a

5G base station connected to existing 4G infrastructure.

During the transition stage, devices will connect to 5G fre-

quencies for data transmission, but will still rely on 4G and

even 2G/3G networks for voice calls and SMS messaging.

Because of this, all the security concerns of previous gen-

erations will remain relevant for 5G networks.

NR LTE

Control plane

User plane

EPC

Use of 4G infrastructure in 5G networks7

6 positive-tech.com/research/5g-security-issues/

7 gsma.com/futurenetworks/wp-content/uploads/2018/04/Road-to-

5G-Introduction-and-Migration_FINAL.pdf

5

5G signaling networks

8 vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

9 enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g

5G networks interwork with other mobile networks. Therefore, hack-

ers can perform cross-protocol attacks by exploiting vulnerabilities in

multiple protocols as part of a single attack. For example, an attack on a

5G network can begin with exploitation of vulnerabilities in 3G to obtain

subscriber identifiers. That is why protecting previous generations of net-

works is essential for 5G security.

Without securing the underlying telecommunication technologies,

smart IoT systems cannot be kept safe. The biggest security threat to

IoT devices is denial of service. The results of our real-world testing are

alarming: across all networks, whether 2G, 3G, 4G, or even 5G, attackers

can deprive subscribers of service. Smart home components or industrial

equipment could be made unavailable at a critical moment. As 5G mobile

technologies and IoT devices evolve, so does the threat landscape. Now

even connected cars or smart city systems could be targeted by hackers.

Have these vulnerabilities actually been exploited in the wild?

In early 2019, clients of Metro Bank in the United Kingdom fell victim to an

SS7 attack:8 hackers exploited flaws in the signaling protocol to intercept

SMS messages used for two-factor authentication. This is not such first

case. In one incident involving a German mobile operator, attackers man-

aged to steal money from subscribers' bank accounts.

Not all incidents are made public. And not all operators even have the

necessary technology to identify illegitimate activity. Threat analysis by

PT Telecom Attack Discovery proves that mobile network attacks are not

just isolated incidents or theoretical oddities, but a daily reality that mo-

bile operators are facing now.

According to ENISA, more than

80% of the telecom providers

have declared having security incidents 9

attack attempts hit a mobile operator on average per day, according to data gathered from PT Telecom Attack Discovery live installations23,000+

6

Who can fall victim?

Any person using mobile technologies is at risk. The threat

goes beyond eavesdropping on subscriber conversations

(although this can pose a real threat to politicians). It goes

beyond hacking online banks by intercepting codes from

SMS messages. People increasingly rely on IoT devices,

which themselves rely on a robust Internet connection.

But if this connection is not properly secured, such reli-

ance may backfire in a major way.

Mobile operators are also at risk, bearing financial losses

if targeted by fraudsters (who can bypass billing systems)

or if abandoned by subscribers (who have money sto-

len due to operator insecurity or whose IoT devices stop

working due to denial of service).

Depending on local legislation, mobile operators may

also be subject to fines. Many jurisdictions have adopted

laws on data protection, such as the GDPR in the EU and

LGPD in Brazil, allowing regulators to impose fines in case

of a data breach.

Any person using mobile

technologies, connected

IoT device, or mobile

operator itself can fall victim to a hacker attack

7

5G signaling networks

Securing MNO networks requires a thorough under-

standing of the problems and systematic approach to

solving them.

As a start, operators should follow GSMA security

guidelines. According to ENISA estimates, only 30 per-

cent of operators in the EU have implemented them.

(In developing countries, fewer than 0.5 percent have

done so.) It is crucial that operators adapt these guide-

lines intelligently based on real conditions on their net-

works, and then follow through to make sure that secu-

rity is working as intended.

Security testing determines the effectiveness of exist-

ing measures, highlights vulnerabilities and risks, and

offers a wealth of data for making improvements. If

performed periodically, testing allows catching prob-

lems in time. Security settings must also be kept up to

date, with verification both periodically and each time

that network equipment is added or reconfigured.

Signaling traffic must be monitored and analyzed as

it crosses the network border. This identifies potential

threats and configuration errors. Such monitoring is

encouraged by GSMA guidelines. To implement this,

operators employ special threat detection systems

that can analyze signal traffic in real time and detect

illegitimate activity by external hosts. These solutions

block illegitimate messages without impacting net-

work performance or subscriber availability. They can

also relay information to other protection systems for

maximum effectiveness.

Recommendations

8

Vulnerability management process

Detect

Audit

Pro

tec

t

Detect. Non-stop real-time threat detec-

tion is essential for verifying the effective-

ness of network security and supporting

rapid detection and mitigation.

Protect. Completely secure your network

by addressing both generic vulnerabilities

(GSMA) and the threats that actually affect

you as part of an ongoing process.

Audit. Auditing provides essential visibility

to fully understand your ever-changing

network risks.

Security must be a priority during the design stage.

This is more true now than ever before, as operators

begin to tackle construction of new 5G networks.

Attempts to implement security as an afterthought

at later stages may cost much more: operators will

likely need to purchase additional equipment, at best.

At worst, operators may be stuck with long-term se-

curity vulnerabilities that cannot be fixed later.

9

5G signaling networks

About Positive Technologies

Positive Technologies is a global cybersecurity company. Its flagship Telecom Cybersecurity Suite enables network operators to drive business performance while protecting their subscribers and services. By providing greater visibility into infrastructure vulnerabilities and securing customer services, Positive Technologies helps to strengthen loyalty, drive revenue with value-added security offerings, and protect emerging telecom technologies such as 5G and the IoT.

positive-tech.comcontact@positive-tech.com PT AG-5G signaling networks_A4.ENG.0006.06