Mobile players’ networks not as secure as people think; hackers targeting these closed, specialized networks to exploit them for gain
They must be more open, transparent; employ right skills personnel to tackle challenges, and have a more preventive attitude
MOBILE network operators (MNOs) pride themselves on having high levels of security in the cellular networks they operate, due in part to the closed nature and sophisticated protocols they employ, but these networks may not be as secure as advertised, say telecom security experts.
Philippe Langlois, founder of P1 Security, said that just because there isn’t much spotlight on security compromises or breaches within the mobile MNO industry, it doesn’t mean that these networks are necessarily secure.
Speaking on the sidelines to Digital News Asia (DNA) at the recently concluded Hack in the Box (HITB) Security Conference in Kuala Lumpur, Langlois (pic) said the MNO industry generally has a closed mentality, as the industry as a whole has been driven a long time by a handful of global vendors and giant MNOs.
“There are approximately 50 global MNOs and fewer than seven equipment vendors, which collectively dominate the global mobile wireless landscape,” he said. “This is not best situation for [security] innovation because if these telecom security vulnerabilities are not on their radar or they don’t publicize these vulnerabilities, no one would know, including the MNOs themselves.
Langlois noted that operators have been dependent on having vendors lead the way where the deployment of services [including security] is concerned.
Many of these services are deployed for free but the problem with this is that real solutions to security problems only exist if these big vendors have identified them and have a solution for them, he added.
Langlois said good security practices would require both vendors and operators to face the fact that there are cyber criminals out to target their networks. Without this acknowledgement, the situation will be made worse as these MNOs will always think that they’re safe, he added.
Compounding this challenge, Langlois noted, is the fact that many vendors do not wish to publicize security vulnerabilities, as doing so will open them up to disrepute and negative publicity.
“The problem today is that there are a lot of criminals looking to exploit networks for gain, so operators need to adapt to that. But the experts who should be advising them are sometimes the same vendors, which [unfortunately] have no interest in publicizing network vulnerabilities. So the MNOs’ decision makers won’t have much credible information, and therein lies the problem.”
Emmanuel Gadaix director of Megapay, concurs, noting that MNOs wouldn’t even want to talk about it if they experienced outage or downtime simply because these events affect their reputation and brand.
“They’ve spent millions to develop their brands and they don’t want this to be affected,” he told DNA, adding that in this respect, they are very much like banks.
Underpinning this problem, Gadaix (pic) said, is the fact that too many MNOs put business as a priority over everything else. While acknowledging that it’s natural that business objectives are key drivers for any company, Gadaix said that this should not be the only guiding principle for these companies.
“For me the problem is that business has priority over everything else. These MNOs are constantly trying to launch services in a highly competitive environment, each trying to outdo one another. Because of this, everything is always rushed and as everything is urgent, security often gets overlooked.”
Gadaix believes that the mobile network industry has to date fortunately not seen any widespread breaches and compromises but this doesn’t mean that the day will never come.
“In fact, the day is already here as there are people who can breach these networks. Only when they realize that there is so much to lose that they need to make telecom security a priority,” he pointed out. “But since the industry hasn’t reached a critical mass of trouble yet, people take it for granted.”
Urged to be opened, transparent
According to P1 Security’s Langlois, the only way to address these challenges within the MNO world is to encourage more openness and transparency. For starters, he said operators must acknowledge that these attacks could happen or are happening to their networks.
Upon doing so, they should utilize the right kind of people to address these telecom security challenges, he added.
“They should not just stick an IT security manager to take care of telecom security as the two require very different skills sets,” Langlois said. “The IT guy [often] doesn’t know what happens on the telecom security side, and vice versa as there is no cross domain knowledge. That’s what’s lacking in today’s MNOs.”
He noted that while there are many IT security professionals who handle the operational side of the network, as well as security auditors such as those involved in fraud and assurance, there are very few who know about the internals of a mobile network, such as SS7 (Signaling System No. 7) security.
SS7 is a complex set of advanced telephony signaling protocols used by MNOs to control core parts of a mobile network and is aimed an ensuring that millions of voice and data connections are functioning properly.
Besides being transparent and having dedicated telecom security personnel, MNOs need to design and develop a holistic telecom security strategy, one that is driven from top down onto the company, Gadaix said.
“MNOs must get out of the ‘If it ain’t broke, don’t fix it’ mentality, and develop a preventive maintenance culture instead. Management also needs to rely less on what vendors say to them as very often, when an MNO discovers a flaw in the system, vendors may not want to do anything about it, saying that any move to do so will void equipment warranty," Gadaix claimed.
Longlois added, “Security is about knowing the problem and in this respect, it’s not that different from the IT security world. Networks need to be monitored closely by specialized tools that can identify problems before they can be fixed.
“The good thing is that there are some MNOs which are taking telecom security very seriously, such as those in the Gulf countries, because they have a security culture and the budget for it. However, this should be everyone’s concern as mobile networks are essentially a part of critical infrastructure.”
DNA was one of the official online publications for HITBSecConf. For DNA's complete coverage of HITB, click here.