Telecom networks operate in two different planes: the user plane and the control plane. The user plane – also known as the “bearer” plane – is where all user data (voice, data, video) is carried. The networks manage user sessions and authenticate devices and subscribers using the control plane. The control plane is also interconnected with other networks to support roaming when we travel.
Networks once used dedicated circuits to connect to other networks (such as T1/E1 circuits). These dedicated circuits carried a level of inherent security because they were assigned to a physical building address and could not be easily moved around. As the address of the termination point for the circuit was well recorded, it was extremely difficult for abusers to hide. This method of interconnection between networks prevented unauthorized access into both wireless and fixed line networks.
Around 2000, however, we began migrating our networks to an all-IP infrastructure. This had a profound effect not only on the transport network, but on interconnections as well. IP circuits can be accessed from anywhere, exposing the network to new threats. Still, there was a certain level of skill and expertise required to connect to a telecom network and use it for any nefarious activity. Only telephone companies and their engineers possessed this expertise. Specifications for these networks and their underlying protocols cost thousands of dollars, providing yet another barrier to would-be hackers.
Eventually, knowledge about these networks and the technology used in these networks became widespread, including through university curriculum for engineers. Specifications and standards are now free to anyone through the internet. These specifications have become available to everyone and what was once proprietary knowledge has become public knowledge.
Researchers have demonstrated that anyone with a laptop can access a communications network and attack subscriber sessions. They can steal sensitive personal information such as location, and hijack conversations and text messages. Tools, services and products are now available to automate this for those not ready to learn.
Given the increase in telecom network attacks, the telecom industry must begin taking a new approach to security. Let’s examine how communications networks can be exploited today, based on evidence now being shared among service providers and based on findings from various researchers.
The first step to exploiting the network is getting access. This can be done through service providers who are selling direct access to their networks – in some cases for as little as $1,000 per month. These are typically smaller operators in developing markets, who view this as necessary revenue, even though they know that selling direct access may compromise networks all over the world.
It is extremely difficult to single out these operators and prevent them from accessing other networks because blocking traffic from these networks puts their subscribers at risk. However, the industry needs to come up with a better way to manage direct network access and associated risks from these complicit operators.
The dark web reveals there are more sources for gaining access to telecom networks besides through other service providers. There are now many types of companies that have negotiated network access to deliver content, location services, texting services and more. On the dark web, some of these companies are selling access to more than 600 networks for a nominal fee.
Getting access to telecom networks has become very easy – and once access has been provided from one provider a hacker can access all of the other interconnected networks. The entire roaming ecosystem is now at risk.
After gaining network access, a hacker needs his own network. This was a barrier previously, but now hackers can obtain a number of open source tools that allow them to emulate a complete network on a simple Linux laptop. Many of these products are used in lab environments for testing by equipment vendors, but this is also how researchers are able to send commands into remote networks for control of subscriber sessions.
Researchers have already demonstrated a handful of network exploits and there are definitely more to be found. If a rogue nation or terrorist organization can access the control plane of any network in the world, well, Houston we have a problem.
Most of the media attention on this topic has focused on SS7 protocol, as if this was the only technology at risk. This could not be further from the truth, yet a lot of focus has been placed here because all of the research has focused on SS7. We are now seeing the same attacks being demonstrated on diameter networks and we can only expect this exposure to continue.
There is also a belief within the industry that there is very little of this type of activity happening in real networks today. This is something we hear in the fraud industry often – there is no need to fix something that has such low risk. But in this case, while there may be few instances, the stakes are much higher. If the target is high profile and an attack is launched against that target, the fallout will be severe and possibly dangerous. The industry cannot afford to take a “wait until it happens to us” attitude when it comes to this type of security vulnerability.
The good news is there are plenty of things that operators can do today to secure their networks and prevent exploits of this nature. Implementing access controls is a basic tenant of good IT practices and all operators should restrict the level of access any entity has into the network to prevent wide-scale abuse.
This is a principle that the telecom industry has not yet learned because we have always operated under a model of trust. However, this is no longer the case.
Every type of network uses gateways for access. In the voice-over-IP domain, session border controllers provide a gateway function with the ability to restrict the level of access by other networks. In fixed line, 2G and 3G networks, the signaling transfer point acts as a gateway into the control plane of the network, preventing unauthorized access into the network.
In 4G networks, the control plane uses a new protocol called diameter. In these networks, a diameter signaling router provides an important function defined by the GSMA as the diameter edge agent. The DEA also provides the ability to implement access policies through comprehensive filters preventing unauthorized messages from entering into the network.
Content providers and other “over-the-top” partners have also been given full access to the control plane of a network, but this is not necessary. They should be managed through an API providing access to information through a tightly controlled interface. Services gatekeepers for API management should be used in all cases where an operator is providing a connection to a partner that is not operating a regular telecom network.
Researchers and industry experts agree that these gateways are the access points into the network, and as such the best place to implement access policy. But unlike the direction we see many operators trying to take, not every single control message needs to be filtered or defined.
The best approach to securing the network is to think about each of the exploits and how they are implemented. The exploits we have seen to date require a number of different commands and messages to be successful, yet if one message fails, the entire exploit is thwarted. This is a critical concept to understand.
Rather than try and address every message in a control protocol, it is much more efficient to address each of the known exploits first. This will allow an operator to quickly secure the network from known vulnerabilities and provide much-needed security to its high profile subscribers immediately. Over time, the operator can then look at treatment for other commands and whether or not they should be allowed by specific partner networks.
Network security has never been more important than it is today. There is increasing evidence that communications networks are being compromised and used for tracking the location of individuals, eavesdropping on conversations and intercepting text messages. It is this author’s belief there is yet more to come and organizations need to plan accordingly. Never has it been more important to invest in the security of the network than it is today.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: [email protected].
