Unmasking the Vulnerabilities in Telecom Signaling: A Call for Enhanced Security

Mobilizing Collective Action for Telecom Signaling Security

By Rowland Corr, Vice President and Head of Government Relations, Enea

Telecommunications, particularly mobile networks, have become the backbone of our modern, interconnected society. They facilitate seamless communication and real-time information sharing, and underpin numerous vital services that touch every aspect of our daily lives. As these networks have proliferated, their complexities have grown, making them both a marvel of modern engineering and a potential point of vulnerability.

While the telecom industry has made strides in fortifying the security of these networks, there remains an often-underestimated weak link: mobile signaling security. This crucial component, responsible for tasks such as call routing, message delivery, and data transfers, has become a prime target for threat actors. Exploits in this domain can lead to a myriad of issues, from personal data breaches to disruptions that can impact national security. As we delve deeper into the world of telecom signaling vulnerabilities, it’s imperative to understand the risks at hand and the measures needed to mitigate them.

Understanding mobile signaling

Mobile signaling can be aptly described as the “traffic controller” of telecommunications networks. It’s the underlying mechanism that manages and directs the flow of data, ensuring that calls, messages, and other forms of communication reach their intended destinations. Signaling protocols are responsible for the entire lifecycle of these communication sessions, from their initiation and the transfer of data to their eventual termination. This intricate system not only facilitates communication within a single network but also interconnects telecom infrastructures of countries globally, sometimes referred to as the interconnect environment.

One of the most pivotal protocols in mobile signaling is Signaling System 7 (SS7). For decades, SS7 has been the cornerstone of global communication, enabling functionalities like call setups, SMS routing, mobile roaming, and number portability. Designed in the 1970s, SS7 was conceived as a closed network, built on mutual trust among all its participants. This design, which once was its strength, has been exposed as inherently vulnerable as cyber threats have evolved. Yet, the adoption of adequate measures to protect signaling interfaces has been slow to materialize, due on the one hand to a lack of capability to detect such threats on the part of mobile operators, and on the other to a prevailing focus on IT-based security threats. This has led cyber policymakers and practitioners to overlook mobile signaling. As we progress into an era of exponentially heightened digital connectivity, understanding signaling vulnerabilities and their implications, and the role of signaling security as a pillar of cyber resilience, becomes ever more critical.

The neglect of mobile signaling security

As the digital threat landscape has evolved, the focus of cybersecurity has predominantly shifted toward IT security, often sidelining the unique challenges posed by mobile signaling. This trend was notably highlighted by entities like the European Union Agency for Cybersecurity (ENISA), which emphasized the disparity in definitions and understandings of “cyberspace” across industries. Such disparities have inadvertently led to a concentration on internet-borne threats, leaving mobile signaling, with its distinct technicalities and vulnerabilities, in the shadows.

This oversight is further exacerbated by the specialized nature of signaling, which requires its own sets of expertise, tools, and systems. Historically, signaling experts have been more engrossed in managing network operations and troubleshooting performance issues rather than proactive threat hunting. This has resulted in a significant gap in many operators’ Security Operations Centers (SOCs) and national cybersecurity frameworks, creating a blind spot that threat actors can readily exploit.

The inadequacy of too basic ‘baseline’ security measures

The vulnerabilities inherent in mobile signaling came to the forefront of industry attention in 2014 when the security of SS7 was publicly questioned, both due to geopolitical events and research revelations. These investigations showcased how the protocol could be manipulated by threat actors to track user locations, intercept calls, and read text messages. While SS7’s widespread use in global telecommunication infrastructure raised concern, today there is a pressing need for more than basic ‘baseline’ security measures. The fact that even Diameter, the more secure successor to SS7 used in 4G and 5G networks, has shown substantial susceptibility to exploitation by attackers, creates a growing imperative not only for multi-protocol signaling protection but for continuously optimized security measures in the face of determined and sophisticated threat actors.

Operator blind spots and the need for better regulation

Not only are basic baseline security measures no longer enough, but there is now an urgent need for evolved incident reporting requirements to incentivize and prompt action by operators. Current regulatory frameworks often lack the scope and efficacy to capture the societal impacts of signaling-related incidents and threats. This is because in any single instance, signaling threat events are often comparatively low in volume and non-disruptive in nature, and yet when executed by state-level threat actors can be sufficient to jeopardize national security. Moreover, the resultant data breaches can also add up over time to a very high volume of impacted users yet without any single event meeting the typical reporting threshold for incident notification by operators. This gap in national frameworks can allow extended attack campaigns to go undetected, simply not being ‘on the radar’ of operators, regulators, or national cyber agencies. Accordingly, regulatory frameworks must be updated and informed by a suitably evolved approach to defining significant impacts and security incidents. This may serve as the catalyst for fit-for-purpose telecom security and comprehensive cyber resilience.

Where operators find themselves ill-equipped to detect and counteract threats involving mobile signaling the deficiency isn’t merely a result of inadequate protection but also stems from a systemic lack of awareness and prioritization in the industry as a whole. While compliance is essential, it’s equally crucial for operators to possess the capability to identify and respond to threats proactively. This has the added potential to facilitate threat information sharing among the telecoms security community, which has been called for for many years, but which has progressed very little. Since the first line of defense is threat visibility, regulators and government more broadly have a crucial role to play in enabling operators to address the security blind spot presented by signaling, by ensuring that control plane threats to data confidentiality and integrity, as well as availability, are made visible. With the right support for capability development where needed, countries can close this critical gap and fortify the cyber resilience of their mobile telecom networks.

What’s next?

The vulnerabilities in telecom signaling are not just technical challenges; a broader call to action throughout the entire telecommunications ecosystem must be heeded. As digital threats grow in sophistication, the need for a strategically aligned, mission-oriented response becomes paramount. The future of telecom security hinges on transcending traditional boundaries and fostering collaboration among operators, regulators, and the greater cybersecurity stakeholder community. By embracing a collective approach, we can anticipate emerging threats, share insights, and drive innovative solutions. The question isn’t whether we can secure our networks, but whether we can come together with the urgency and unity of purpose this mission demands. The time for siloed approaches has passed; the era of collective resilience through collaborative action is upon us.

About the Author

Rowland Corr is the Vice President and Head of Government Relations of Enea. He helps cybersecurity agencies, regulators, and other government stakeholders evolve and execute their national cybersecurity strategies. Prior to joining Enea, Rowland served in Ireland’s Department of Defence in interdepartmental advisory and international engagement roles on security matters such as cybersurveillance, non-proliferation, and hybrid threats. Rowland can be reached online at our company website https://www.enea.com/ and https://www.enea.com/insights/eneas-experts-meet-rowland-corr/