PARTNER FEATURE: A high-profile hack of a Tier 1 European operator last year again exposed the serious consequences that can result from exploiting vulnerabilities in mobile network signalling systems. In this case, the operator’s customers had money stolen from their bank accounts because attackers had exploited weaknesses in the Signalling System 7 (SS7) protocol to intercept two-factor authentication codes sent by the banks via SMS messages.

While this type of attack is rare, it is nonetheless alarming.

In the past, the SS7 protocol was viewed as inherently secure even though it was not designed with security features. It was used to interconnect trusted parties and it seemed impossible to access the signalling layer without an operator licence. Today, access to the international SS7 signalling network is offered as a commercial service at a reasonable cost, and there are so many more network elements and points of interconnection – many of which interface with IP networks and all the vulnerabilities that entails – that the threat landscape has greatly expanded.

Hacked signalling data can be used for banking fraud, location tracking, eavesdropping, authentication theft, transfer of executable malware code, and denial of service attacks.

Recognising the flaws in SS7 and its next-generation successor Diameter (which is widely deemed to be less secure than SS7), mobile operators have deployed multi-protocol firewalls to protect their signalling networks. To focus industry efforts, NetNumber led an initiative in 2016 which became a working group within the GSMA that sets guidelines for the implementation of SS7, Diameter and GPRS Tunnelling Protocol (GTP) signalling firewalls. These GSMA guidelines are also referenced in recent reports by the Federal Communications Commission (FCC) and European Union Agency for Network and Information Security (ENISA), which advise mobile operators in the US and Europe to protect their networks adequately.

But the threats to mobile networks are rapidly evolving and operators need more sophisticated solutions. According to NetNumber, the attacks on signalling networks are becoming more frequent, more sophisticated and the attack surface has expanded, as there are more points of entry into the core network. Also, while signalling firewalls are effective, solutions are often complex and fragmented.

In addition, the growth of IoT connected devices means there will be a wider variety of end points with varying security parameters that can be used to gain illegal access. Meanwhile, the rise of virtualisation, multi-access edge computing (MEC) and private LTE networks means core functionality will be deployed in less secure locations at the edge of the network or on the premises of enterprises. Signalling firewalls must provide protection at the edge as well as scale with IoT connectivity growth.

Automated data provisioning for firewalls
The effectiveness of a signalling firewall depends on the accuracy and completeness of the data that feeds into its filtering functions. The filtering rules determine whether messages are allowed or blocked. If the data is wrong, this leads to erroneously blocked calls and messages, and hence customer complaints, or it results in passing risky traffic from malicious sources.

Inaccurate data increases the operational burden on operators to resolve incidents while also creating opportunities for hackers to bypass filters and firewalls.

“The signalling firewall itself is not enough,” said Pieter Veenstra, senior manager of product development, security and routing at NetNumber (pictured, right). “Having accurate and up-to-date signalling network data is becoming more and more of an issue.”

The security risk is particularly high for mobile roaming traffic. There are about 2,000 MNOs and MNVOs worldwide, of which about 1,000 are globally interconnected end-to-end. When users travel abroad with their mobile devices, a vast amount of data is exchanged between the home and visiting networks to authenticate users, update user locations and preserve service features, just to name a few functions of the signalling layer.

Typically, this signalling network data is gathered manually every day by operators themselves, which is time consuming, costly and prone to errors. The data is held in the GSMA IR.21 roaming database, but it is often incomplete and inaccurate, making it inadequate for feeding a firewall. Having a signalling firewall without accurate data is like having a car without the fuel, said Veenstra.

Ideally, signalling data should be automatically provisioned to the signalling firewall so that operators can securely transmit traffic and protect their networks and customers. NetNumber’s Global Data Services, which gathers and sorts data from about a hundred sources for routing applications, can be leveraged to feed signalling firewalls so that operators have real-time access to accurate information.

Nodal learning
In addition to automated data provisioning, NetNumber has also developed a machine learning-based method for extracting the most up-to-date signalling network data, called nodal learning. Each signalling firewall node on the network inspects all the signalling traffic and extracts the addresses of every active node on the network and its specific role.

By using real signalling traffic to learn addresses and nodal behaviour contexts, operators can even preventatively protect their networks against unknown, suspicious nodes. Nodal learning also greatly simplifies firewall operations and protects against configuration errors. Nodal learning will also build a real-time and complete alternative for the data that should be found in the GSMA IR.21 database, added Veenstra.

During a recent test with a Tier 1 mobile operator, the nodal learning implementation discovered many more SS7 Global Titles on the network than the operator expected, showing that the capability was much more accurate than manual methods.

NetNumber is currently working within the GSMA on a new initiative to facilitate operators sharing information about detected signalling vulnerabilities and nodal learning data as part of its signalling security guidelines.

“Operators need to become more collaborative and share information in order to protect their networks against the increasing sophistication of the signalling attacks by the fraudsters and hacking industry,” said Veenstra. “That is the next step.”

Signalling security at the edge
As more operators embrace edge computing, signalling security cannot be compromised when core network functionality is distributed out to micro data centres.

“Security is a non-negotiable requirement,” said Saverio Vardaro, technical solution architect at NetNumber (pictured, left). Whether it is a 4G network or future 5G, security must be included “by design” for all network architectures.

“The proliferation of distributed architectures is an opportunity to better serve new business cases and markets, but it also represents a challenge,” Vardaro said. “Borders are fluid and go beyond the traditional core network data centres, often reaching enterprises and distributed over third party clouds. The right platform can greatly change the game, enabling distributed security models and streamlined operations.“

NetNumber’s TITAN Centralised Signalling and Routing Control (CSRC) platform, which supports more than 200 billion transactions per month, provides a flexible virtualised infrastructure that can be deployed on bare metal, in virtual machine form factor, or as a containerised app to support distributed edge implementations.

Together, automated data provisioning of firewall filter data, nodal learning and the flexibility of the TITAN platform will enable operators to lock down signalling security from the core to the edge, heading off increasingly sophisticated threats to protect current and future mobile services.