How Telecom Got Security Wrong

By: Travis Russell

The telecommunications industry needs to rethink security. The concept of trust among roaming partners has proven to be inaccurate, and the industry is now seeing evidence that trust is no longer a reasonable assumption. As service providers struggle with this breach of trust, the industry is rapidly moving to an IT-based model, with its own set of vulnerabilities.

When the industry began work on a new signaling technology a few decades ago, the intent was to eliminate the fraud and security concerns of the time. Long distance and international calling was being compromised through clever techniques such as the Captain Crunch whistle that produced a perfect 2600 Hz. Black boxes were being used to create the tones used by pay phones to signal switching systems and fool them into connecting long distance and even international calls at no charge. The answer to the problem was the elimination of in-band MF signaling, and the implementation of signaling system #7.

The new signaling technology was designed to be used in closed network architectures, and therefore today does not possess authentication mechanisms. If someone is connected to the network, that person becomes part of the closed community — a trusted partner in the telecom ecosystem.

When the industry began implementing IP as a transport in 2000, many industry experts began sounding warnings that the industry was introducing new vulnerabilities found on the Internet into the United States' critical infrastructure. These warnings were not fully heeded, mostly because connections to other networks still utilized time division multiplex (TDM) circuits, inherently secure due to the technology itself. Plus, the industry was still operating with a concept of trusted partners.

Introduction of Untrusted Partners

With wireless networks, many new types of partners, including content providers, were added. As more and more partners were added into the ecosystem, the industry lost control of any “trust” and was now allowing anyone access to critical infrastructure via an insecure technology (IP) without extensive vetting, on a global basis.

What has come to light of late is the truth about the industry’s “trusted” partners. Many have been found to be complicit in offering connections to the signaling network for a small fee, treating it as a revenue stream. This provides an easy avenue for any hacker or nation-state to gain access through the roaming ecosystem to access the control plane of any connected telecommunications network in the world. 

This notion that a trusted partner would grant access to any entity for a small fee is what the industry failed to recognize. No one (this author included) believed that it would be possible to purchase network connectivity using an IP connection, and purchase the necessary network credentials along with it. This combination allows for any entity to masquerade as a legitimate roaming partner, and extract sensitive subscriber information from any network in the world. 

We have seen this demonstrated many times already, but we have moved from purely theoretical and academic conjecture to reality. After more than a decade, we can now see evidence of breaches in wireless networks, utilizing exploits made possible through IP connections (such as SIGTRAN in SS7). Subscribers have had their bank accounts drained after hackers accessed their bank accounts, and intercepted two-factor authentication sent via SMS. Hackers have demonstrated the ability to track anyone’s location using the control plane of the wireless roaming ecosystem. SIP spoofing continues to support a multitude of crimes, including impersonation of law enforcement agencies and the IRS. These vulnerabilities are not limited to any one technology; they are possible using any technology used to connect two networks.


Latest Updates