Are mobile networks as safe as we think?

• Mobile network operators' telecom security may not be as secure as you think
• Over-dependence on vendors’ agenda, lack of skill to tackle complex subjects

Periscope by Edwin Yapp

A COUPLE of weeks ago, Digital News Asia covered the HITB Security Conference, a world-class IT security conference that touched on a continuum of issues facing companies and consumers alike.
 
In one report that I had filed, I spoke with two telecom security researchers: Philippe Langlois, founder of P1 Security; and Emmanuel Gadaix, director of Megapay, who also happens to be the former technical director of file-sharing website Megaupload.
 
Essentially, Langlois and Gadaix argue that the networks of telecommunication firms, especially mobile network operators’ (MNOs), aren’t as safe as people believe them to be or as advertised by the vendors and MNOs themselves.
 
There are two main reasons for this. The first is that there is a false perception that just because an MNO’s network is largely privately administered and controlled, it is relatively safer compared with typical corporate IT networks. Also, there are also fewer MNO networks for cyber-criminals to target compared with that of the myriad of corporate IT networks.
 
Secondly, Langlois (pic) and Gadaix noted that telecom security is also more specialized than general IT security and there may be fewer people in the know about exploits and vulnerabilities compared to that of generic IT exploits. Related to this is the fact that MNOs’ core networks function with a lot more specialized and proprietary protocols, making it more niche and less attractive for cyber-criminals to target.
 
But while these reasons may have been valid to a certain extent in the last decade, the duo convincingly argue that the situation has now changed. Firstly, it’s a well-known fact that cyber-criminals have long moved away from notoriety and bragging rights as their prime motive for what they do to that of monetary profit as their main driver.
 
In tandem with this, the kind of activities traversing mobile networks has also changed. Today, MNOs’ networks not only carry voice and simple SMS data, they also hold much more data points.
 
For example, MNOs have to grapple with location-based data; transactional data such as m-commerce, credit card information and TACs (transaction authorization codes) for online banking; and subscribers’ mobile data consumption patterns and IP addresses, just to name a few.
 
With such a huge data mining honeypot, it’s no wonder that cyber-criminals are turning their attention to such networks, argue Langlois and Gadaix. In fact, the two researchers believe that such breaches within a closed network could be more widespread than people think or know about.
 
While I’m certainly not trying to be an alarmist, these issues are serious ones and must be raised as more and more of our lives are dependent on that little thing called the smartphone and/or smart devices that connect to MNOs.
 
When asked why such serious issues have not been widely publicized, Gadaix had a sobering thought to share.
 
“MNOs have spent millions to develop their brands and they don’t want this to be affected. For me the problem is that, business [for these MNOs] has priority over everything else. These MNOs are constantly trying to launch services in a highly competitive environment, each trying to outdo one another. Because of this, everything is always rushed and as everything is urgent, security often gets overlooked.”
 
The saving grace so far is that because telecom security is much more niche than general IT security, the number of vulnerabilities and exploits may be potentially lower than that experienced in the corporate IT security world.
 
In particular, Langlois and Gadaix (pic) in their presentation at HITB [the presentation material is about 20MB and the material is quite technical in nature -- ED] note that cyber-criminals can easily exploit a core component known as the SS7 (Signaling System No. 7) Network.
 
SS7 is a complex set of advanced telephony signaling protocols used by MNOs to control core parts of a mobile network and is aimed at ensuring that millions of voice and data connections are functioning properly.
 
If memory serves me right, the SS7 Network was not only the most advanced and complex network there was but also one of the most securely designed. But according to these experts, breaches in the network were already happening back then. I can only imagine the kind of progress cyber-criminals have made over the years.
 
But perhaps the greater travesty in all this is what Langlois and Gadaix say regarding what can be done about the situation today.
 
“The problem today is that there are a lot of criminals looking to exploit networks for gain, so operators need to adapt to that,” says Langlois. “But the experts who should be advising them are sometimes the same vendors, which [unfortunately] have no interest in publicizing network vulnerabilities. So the MNOs’ decision makers won’t have much credible information, and therein lies the problem,” adds Gadaix.
 
And things could be worse, as Gadaix says that based on his experience, some MNOs who discover vulnerabilities and who do report them to the vendors are shot down for doing so.
 
He even notes that some vendors may not want to do anything about it, claiming that any move to do so will void equipment warranty.
 
“Very often, this happens,” he says, declining to name any vendor in particular.
 
Just to be sure, I checked with a locally-based telecom security expert I know and can confirm that all points Langlois and Gadaix relate were in the right ball park.
 
As someone who has worked at an MNO before, I am appalled and at the same time saddened with the developments that have taken place in the dozen years or so since I left the industry.
 
In an age where so much of our lives and businesses depend on the Net via mobile networks, you would think that MNOs would be much more careful with the security of their networks. But the truth is that the mobile landscape today is so much more competitive than before, at least from the situation in my day, that it would seem that profits are being sacrificed for security.
 
Still, I believe that more than ever before, MNOs have the responsibility and accountability to ensure that networks are as safe as possible, and this would mean that they should invest in security – both in technology and skill sets – to ensure that the trust of the million of subscribers they hold will not be let down and/or compromised.
 
My personal hope is that MNOs would not let pure profits or growth rates get in the way of the basic charter and raison d'être for which the old Post, Telephone and Telegraph (PTT) entities existed – to serve the public interest and trust by ensuring quality and safe telecommunication services at the most affordable prices.

Related story:

Mobile network operators the next frontier for hackers