How CSPs can secure their networks by using wholesale carrier capabilities to address signalling threats
Location tracking and interception of communication (SMS and/or calls), in addition to wholesale fraud and other less severe forms of malicious activity, have become a fact of life for communications service providers (CSPs). Subscribers’ data privacy, the security of M2M and IoT devices and application to peer (A2P) messaging are all under threat, affecting individuals, businesses, institutions and government.
A vital industry challenge is to make mobile connectivity secure and communications cleaner by eliminating spam and Wangiri attacks. Regulators are pushing to eradicate these issues and these forms of fraud need to be combatted in order for CSPs to maintain their trusted position with customers and partners. One of the reasons doing this is so challenging is that CSPs’ signalling protocols were designed for a different era when CSPs were focused on domestic usage and delivering connectivity to their own subscribers.
The need to interwork and enable national and international roaming was not the main consideration when 3GPP defined the signalling protocols, especially SS7. Protocols were built without security mechanisms such as authentication, confidentiality and integrity protection, and only later used to enable interworking between mobile operators.
SS7 – one of the most popular signalling protocols – was designed decades ago with the assumption that CSPs would operate in a closed environment. However, the environment has evolved to become open and, consequently, less secure. Much of the activity conducted by bad actors is undetected and so only a few incidents have been publicly announced, but CSPs recognise the need to protect their networks and subscribers.
That’s easily said and far harder to achieve as CSPs also want to keep their signalling capabilities open to a long list of partners and wholesale customers.
“Roaming interconnect has evolved a lot with the advent of global roaming. CSPs have opened up to many different kinds of players such as mobile virtual network operators (MVNOs), aggregators, value-added services (VAS) providers, roaming hubs or roaming sponsor platforms and others; at the same time, connectivity has to be maintained on different layers of technology,” explains Guillaume Lavernhe, senior product manager for IPX Security at BICS. “The industry hasn’t replaced 2G interconnect but added 3G and 4G and, later, 5G, so it’s getting very complex to secure for mobile operators.”
“There are three main factors that have raised the level of complexity,” he adds. “First, the number of traditional CSPs has been constantly increasing and, at the same time, CSPs have opened up to new players. It’s not only peer-to-peer interconnections anymore.”
“Next, new generations of technology have been adopted while the previous ones have been maintained,” he says. “Legacy signalling protocols are still in use despite their lack of security mechanisms. Although there is talk of 2G and 3G being retired, BICS foresees that 2G will still exist in the next 15 years as 4G roll-out is incomplete in some regions and multiple European operators plan to keep 2G for M2M connectivity.”
“Finally, there is greater complexity with roaming platforms and services,” Lavernhe adds. “We have a very rich mobile ecosystem which adapted to the hatching of MVNOs, A2P messaging, travel SIMs, IoT and, at the same time, to the consolidation around groups or alliances. To support the various business models that coexist, we as an industry have introduced a great variety of platforms and services such as roaming sponsor (multi-IMSI), steering of roaming and roaming hubs, which add complexity and sometimes twist the traditional frame of interworking with a growing number of exceptions.”
Understanding the signalling threats and the possibility to exploit the vulnerabilities of telecom protocols requires a very narrow expertise in both roaming interworking and cybersecurity. This combination of skill is not easy to get and, while the GSMA has put a lot of effort into delivering guidelines and recommendations to the community, the threat is changing and there are still very few companies in the industry which can provide the required tools and expertise.
“You can’t just buy a box and think you are done,” adds Lavernhe. “Some complex attacks can hardly be blocked using static rules without a serious impact on the legitimate traffic. The focus is about visibility of the threat – not only raising alarms but qualifying the attacks, minimising the false positives and being able to spot the very few events which can damage a network or setup a call interception within the 5 to 10 billion messages exchanged every day through our backbone.”
This is where BICS can help. “BICS, as a wholesale carrier, is an international gateway sitting at the boundaries of the operator networks with the rest of the world,” says Lavernhe. “This means we can authenticate the source of the messages and block those which are not expected on the roaming interconnect. This is something we have been doing on 4G interworking from Day 1 and which has been adopted by other carriers through the RESIST initiative at the GSMA.”
That position at the international edge means BICS has huge insight into traffic. Lavernhe says that 25% of roaming signalling and 50% of the world’s data roaming passes via the BICS network, giving it a unique visibility into international threats and the possibility to go beyond the operator and crowdsource threat intelligence from all its customers.
POST Cyberforce, the team of cybersecurity experts from POST Luxembourg, has worked with BICS to launch a solution designed to help mobile operators secure their network infrastructure against signalling attacks, and safeguard their subscribers and revenues. The partnership combines POST Cyberforce’s expertise protecting critical infrastructure with BICS’ suite of fraud prevention solutions and unrivalled position as the largest global roaming provider.
The solution covers the two essential pillars of mobile networks’ cybersecurity. First, is a network vulnerability assessment of the real roaming environment. Second is a telecom intrusion detection system, designed with embedded business logic and supported by a regularly updated threat knowledge-base. Combining proactive infrastructure testing, real-time threat prevention, and 24×7 business support for forensic investigations, the offering also includes an additional layer of security for mobile operator networks. It will significantly enhance security for IoT devices, which are increasingly reliant on mobile networks for connectivity and have seen a nine-fold increase in attacks year-on-year.
“Our IPX Security solution is designed with a mobile operator for mobile operators, following a practical approach with a strong focus on the operational aspect and on eliminating false positives,” Lavernhe concludes. “Our solution addresses SS7, Diameter and GPRS tunnelling protocol (GTP) threats and will look at the security challenges of 5G; the solution is flexible so we can provide CSPs with an end-to-end solution, either hosted or on-premise. We configure this for our customers who also receive 24×7 business support from our signalling and security experts.”