Mobile technologies have become part of everyday life, making them an increasingly appealing target for criminals. Some of these threats are quite well known: security researchers have long been discussing vulnerabilities in 2G and 3G networks. Traditional two-factor authentication by SMS is no longer recommended for securing critical services. However, additional threats are coming to the forefront. The main consumers of communication services are no longer people, but Internet of Things devices. IoT adoption has taken off following the deployment of 5G networks in a number of countries. The security of the IoT depends on how well mobile technologies are protected.
Each generation of mobile networks must interoperate with previous ones. As a result, newer generations tend to inherit the weaknesses of their predecessors. 5G relies on 4G networks, and 4G itself performs some functions via 2G/3G. Here we will consider the security threats to different generations of mobile networks. Our analysis is based on security testing of SS7, Diameter, and GTP networks.
SS7 is a system for exchanging signaling messages used in 2G and 3G networks. The Signaling System 7 standard was developed at a time when only fixed-line operators had access to the network. Security was an afterthought. But in the current environment, SS7 is no longer isolated. Both legitimate operators and attackers can gain access to it. SS7 has architectural flaws that allow executing a whole range of attacks3, including eavesdropping, SMS interception, and fraud.
4G networks use the Diameter signaling protocol, which also contains security flaws. In fact, vulnerabilities in the Diameter protocol allow hackers to conduct almost the same range of attacks4 on subscribers and mobile operators as were possible on previous-generation networks.
The GTP protocol is used to transmit user and control traffic on 2G, 3G, and 4G networks. Like other protocols, GTP has flaws5 that can enable interception of user data, fraud, and denial of service.
In this paper, we will discuss the frequently asked questions to explain why vulnerabilities of previous-generation networks still matter for security of nascent 5G networks. Read on to learn about hacker attacks that are possible in 5G and what operators can do to protect themselves.
Questions and answers
Why do vulnerabilities in SS7 still matter if newer protocols have been released?
While newer protocols exist, security is only as strong as the weakest link. Attackers can still make use of any vulnerabilities in SS7 because operators continue to implement the older GSM (2G) and UMTS (3G) standards. Even LTE-only networks using the Diameter protocol instead of SS7 must interconnect with previous-generation networks. So in practice, these networks, too, are vulnerable to some SS7 attacks.
Will the current protocols remain relevant in years ahead?
SS7 shows no signs of riding off into the sunset any time soon. According to GSMA estimates1, the user base of 4G/5G subscribers is only starting to approach that of 2G/3G users. The number of 3G users is unlikely to decline significantly until at least 2025. But even at that time SS7 networks will continue to be relevant, since 2G/3G users are projected to account for a quarter of all subscribers (not counting IoT devices).
As for the Diameter protocol, it will remain pertinent for even longer. The percentage of 4G users will rise until at least 2024. What's more, 5G networks currently have the non-standalone architecture, in which 5G is built on top of 4G infrastructure.
Security issues with the GTP protocols used in 2G, 3G, and 4G networks will not fully disappear even with the transition to 5G Standalone. According to specifications still under development, 5G Standalone will retain GTP, albeit just for transferring user data (via the GTP-U protocol).
How can vulnerabilities in SS7 and Diameter affect 5G and the IoT?
We have already discussed6 potential security issues in 5G networks. Even though the specification developers took into account the security flaws of previous generations of mobile networks, new technologies come with new risks. With 5G, operators will have to grapple with virtualization, more complex administration, and use of standard internet protocols with which hackers are already familiar. At the same time, 5G networks are inseparably linked to their predecessors.
Today's 5G networks have the non-standalone architecture. They rely on a 4G LTE core network (EPC). This allows improving the bandwidth and latency of user data with a 5G base station connected to existing 4G infrastructure. During the transition stage, devices will connect to 5G frequencies for data transmission, but will still rely on 4G and even 2G/3G networks for voice calls and SMS messaging. Because of this, all the security concerns of previous generations will remain relevant for 5G networks.
5G networks interwork with other mobile networks. Therefore, hackers can perform cross-protocol attacks by exploiting vulnerabilities in multiple protocols as part of a single attack. For example, an attack on a 5G network can begin with exploitation of vulnerabilities in 3G to obtain subscriber identifiers. That is why protecting previous generations of networks is essential for 5G security.
Without securing the underlying telecommunication technologies, smart IoT systems cannot be kept safe. The biggest security threat to IoT devices is denial of service. The results of our real-world testing are alarming: across all networks, whether 2G, 3G, 4G, or even 5G, attackers can deprive subscribers of service. Smart home components or industrial equipment could be made unavailable at a critical moment. As 5G mobile technologies and IoT devices evolve, so does the threat landscape. Now even connected cars or smart city systems could be targeted by hackers.
Have these vulnerabilities actually been exploited in the wild?
In early 2019, clients of Metro Bank in the United Kingdom fell victim to an SS7 attack:8 hackers exploited flaws in the signaling protocol to intercept SMS messages used for two-factor authentication. This is not such first case. In one incident involving a German mobile operator, attackers managed to steal money from subscribers' bank accounts.
Not all incidents are made public. And not all operators even have the necessary technology to identify illegitimate activity. Threat analysis by PT Telecom Attack Discovery proves that mobile network attacks are not just isolated incidents or theoretical oddities, but a daily reality that mobile operators are facing now.
Who can fall victim?
Any person using mobile technologies is at risk. The threat goes beyond eavesdropping on subscriber conversations (although this can pose a real threat to politicians). It goes beyond hacking online banks by intercepting codes from SMS messages. People increasingly rely on IoT devices, which themselves rely on a robust Internet connection. But if this connection is not properly secured, such reliance may backfire in a major way.
Mobile operators are also at risk, bearing financial losses if targeted by fraudsters (who can bypass billing systems) or if abandoned by subscribers (who have money stolen due to operator insecurity or whose IoT devices stop working due to denial of service).
Depending on local legislation, mobile operators may also be subject to fines. Many jurisdictions have adopted laws on data protection, such as the GDPR in the EU and LGPD in Brazil, allowing regulators to impose fines in case of a data breach.
Securing MNO networks requires a thorough understanding of the problems and systematic approach to solving them.
As a start, operators should follow GSMA security guidelines. According to ENISA estimates, only 30 percent of operators in the EU have implemented them. (In developing countries, fewer than 0.5 percent have done so.) It is crucial that operators adapt these guidelines intelligently based on real conditions on their networks, and then follow through to make sure that security is working as intended.
Security testing determines the effectiveness of existing measures, highlights vulnerabilities and risks, and offers a wealth of data for making improvements. If performed periodically, testing allows catching problems in time. Security settings must also be kept up to date, with verification both periodically and each time that network equipment is added or reconfigured.
Signaling traffic must be monitored and analyzed as it crosses the network border. This identifies potential threats and configuration errors. Such monitoring is encouraged by GSMA guidelines. To implement this, operators employ special threat detection systems that can analyze signal traffic in real time and detect illegitimate activity by external hosts. These solutions block illegitimate messages without impacting network performance or subscriber availability. They can also relay information to other protection systems for maximum effectiveness.
Security must be a priority during the design stage. This is more true now than ever before, as operators begin to tackle construction of new 5G networks. Attempts to implement security as an afterthought at later stages may cost much more: operators will likely need to purchase additional equipment, at best. At worst, operators may be stuck with long-term security vulnerabilities that cannot be fixed later.
Detect. Non-stop real-time threat detection is essential for verifying the effectiveness of network security and supporting rapid detection and mitigation.
Protect. Completely secure your network by addressing both generic vulnerabilities (GSMA) and the threats that actually affect you as part of an ongoing process.
Audit. Auditing provides essential visibility to fully understand your ever-changing network risks.
- According to our 2019 security research. The full report will be released in 2020