'... makes several recommendations'
Which will almost certainly be completely ignored in the race for profits.
Me? Cynical? Surely not.
Legacy technologies pose a threat to the European Union's telecommunications infrastructure, a study by cybersecurity agency ENISA warns. 2G/ 3G mobile networks worldwide still depend on SS7 and Diameter for controlling communications (routing voice calls and data) as well as sets of protocols designed "decades ago without …
2G and 3G support authentication of the handset+SIM to the network. 4G adds authentication of the network to the handset+SIM to mitigate the rogue basestation problem.
AFAIK there are no public exploits against 4G. There are however plenty of downgrade attacks that basically block 4G forcing people onto 2G/3G and then exploit any of the myriad of issues in the older tech.
In terms of voice calls the rogue basestation attack works regardless simply because you can’t make calls over 4G atm. Your phone drops down to 2G/3G for voice.
If you think Intel are terrors re: backwards compatibility you ain’t seen nothing like telco. I can’t see 2G (and thus the insecure protocols) being dropped for a very long time. At least 15 years. It’s easier to retrofit security in the form of IDS type boxes than to reengineer the whole system. Everything is moving to IP now so it’s much simpler to filter and monitor traffic on SIGTRAN etc than when it was when it was over FR etc. It sure ain’t perfect, but it’s easier than getting an agreement at 3GPP etc to replace it all.
There's nothing wrong with SS7, provided you trust that you knew everybody who can see the network traffic and knew who all the network nodes belonged to. Back in the old days this was reasonable as it was limited to the national telecoms companies. The problems have started since carriers have gotten lazy and started bearing SS7 traffic on Internet connections, meaning that literally anyone can see and interact with the SS7 traffic.
Ok, so if the Internet is going to be underlying carrier, they still have to solve the problem of securing that. Last time I looked that wasn't straight forward either to completely guarantee it. You have to ask yourself, is that certificate really trustworthy? Does it really belong to the telephone company I think it does? Do I even know if that really is a telephone company off in some far flung land, or is it just someone pretending?
In short, I don't see why telecoms is immune to the Internet's identity problems. CAs aren't wholly trustworthy, and no one could fully establish the identity or bona fides of all the worlds telephone companies.
The issue isn’t the internet. It’s about the trust relationship within the SS7 network. Someone at a telco in <insert dodgy country> can rent out access to their SS7 endpoint, allowing said renter to issue SS7 queries to any attached network (e.g. Voda in the UK).
And when I say they can rent access, I mean they do. Other than segmenting the whole thing (bye bye roaming) it can’t really be fixed. It wasn’t designed to deal with nefarious folk. It’s old!
the enisa report focuses on interconnection security i.e. security between networks. not the phone - base station (eNB) interface.
SS7 / SIGTRAN -> if you don't want to cut off countries or regions, then the filtering/pen-testing is the way to go
Diameter (3G/4G) -> establish secure channel as far as possible, filtering, pen-testing
5G -> uses many typical internet type protocols for core network communication. Telcos need to think and treat their network differently (PKI establishment and secure comm for sensitive info between networks, multi-layer FWs, security zoning in core network, pen-testing etc). if the security is not done properly, then this could also pose a big fraud risk to telcos.....
More interesting, FCC has issues SS7 guidlines last year in march. How much has really happened after that in reality??
Biting the hand that feeds IT © 1998–2019