Are legacy technologies a threat to EU’s telecom infrastructure?

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Telecommunications is a key infrastructure based on how our society works. It constitutes the main instrument that allows our democracy and our EU core values such as freedom, equality, rule of law and human rights to function properly.

OPIS

Common types of attacks

There are currently over 5 billion unique mobile subscribers and over 2000 mobile operators worldwide. In Europe, we have 456 million unique mobile subscribers, which is equivalent to 84% of the population.

Mobile networks worldwide are still depending on SS7 and Diameter for controlling communications (routing voice calls and data) as well as on sets of protocols that were designed decades ago without giving adequate effect to modern day security implications. In this respect, the interconnected environment has become perilous.

As today’s society is becoming more and more digital, such vulnerabilities might inhibit the proper functioning of the mobile networks, thereby impacting the operation of the digital markets. A full range of new services (e.g. cloud, financial etc.) is being developed or is relying on the primary infrastructure offered by electronic communication providers (e.g. energy, transportation, eHealth etc.).

“In this context, ENISA has developed a study, which has examined a critical area of electronic communications: the security of interconnections in electronic communications, also known as signalling security. An EU level assessment of the current situation has been developed, so that we better understand the threat level, measures in place and possible next steps to be taken,” said Udo Helmbrecht, ENISA’s Executive Director.

Key study findings

The first generations of 2G/3G mobile networks rely on SS7, a protocol designed decades ago without considering security. The industry and security research community has started to look into the good practices and necessary tools that are already available. Basic security measures seem to have been implemented by more mature providers, but these measures only assure a basic level of protection. Still, more efforts are needed to be made in order to achieve an adequate level of protection across the EU.

Current 4G mobile telecommunication generation uses a slightly improved signalling protocol called Diameter. Based on the same interconnect principles, the protocol was proved to be theoretically vulnerable. The industry is still trying to understand exactly what the implications are and to identify possible workarounds. It is highly probable that in the near future we will see real attacks as well as suitable solutions becoming available.

The new 5G mobile generation is still under development. Early releases from some manufacturers are already available, but the standards are still in their infancy. Nevertheless, there is a risk of history repeating. Given the improvements that 5G will bring – such as more subscribers, increased bandwidth etc. – having the same security risks can be extremely dangerous.

OPIS

Security measures in place

Recommendations

The EU Commission:

  • Consider revising the current legal landscape in order to encompass signalling security.
  • Consider the adoption of baseline security requirements for electronic communications providers to include signalling security.

National Responsible Authorities:

  • Regularly analyse the situation at national level and be aware of any developments that can trigger significant incidents in this area.
  • If necessary, consider revising the national legislation, so that signalling security is covered in terms of incident reporting and adoption of minimum security requirements.

The industry:

  • Electronic communication providers: implement the necessary measures to ensure an adequate level of security and integrity of telecommunication networks.
  • Responsible standardisation bodies: ensure that signalling security is properly covered within the new 5G standards.