Interconnection Security:

An EU level assessment
ENISA’s IR Team | Secure Infrastructures & Services Unit
24th Article 13a EG workshop | Vienna | 28.2.2018
European Union Agency for Network and Information Security
You can teach an old protocol new tricks

Many stakeholders are paying attention to this

• Hacking conferences (CCC, Hackito Ergo Sum,…)
• Media Coverage (Washington Post, CBS,…)
• Regulators (Nordic, FCC,…)
• Organizations (GSMA, ITU, ETSI,…)

Interconnection Security | ENISA IR Team –COD1 Unit 2

What can go wrong?

• Data session hijacking: Belgacom case

• Eavesdropping: CBS 60 minutes
• mTAN interception: O2
• One time password theft: Positive technologies
• SMS and one time password interception: IEEE 2017
• Subscriber Profile Extraction and Modification: NSS 2017
• 2018?

Interconnection Security | ENISA IR Team –COD1 Unit 3

Perceived risk from signalling

10%

51%
Medium 39%

High

Low

Interconnection Security | ENISA IR Team –COD1 Unit 4

Common types of attacks
90%
84.62%

80%

70%

60% 56.41%

48.72%
50%
41.03%
40%

30%

20%
12.82%
10% 5.13% 5.13%
2.56%
0%

SMS Spam Spoofing

Location Tracking Subscriber Fraud

Text Message Interception Subscriber or provider Denial of Service

Routing attacks Call Interception

Interconnection Security | ENISA IR Team –COD1 Unit 5

How often?

7.69%
12.82%

17.95%

less than 10
61.54%
10 to 100

more than 100

Interconnection Security | ENISA IR Team –COD1 Unit 6

How we protect ourselves?
100%

90% 87.18%

80%
71.79%
70%

60%

50%

40%
33.33%

30% 28.21%
25.64%
20.51%
20%
12.82%

10%

0%

Implement SMS Home Routing Filtering on transit and end nodes

Active Testing / Auditing Implement Signalling Firewall
Other Avoidance of Optimal Call Routing
Implement Advanced Analytics

Interconnection Security | ENISA IR Team –COD1 Unit 7

Guidelines on signalling security
90.00%

80.00% 76.92%

70.00% 66.67%

60.00%
53.85% 53.85% 53.85%

50.00%

40.00% 35.90%
30.77%
30.00%
20.51%
20.00%

10.00%

0.00%

GSMA FS.11: SS7 Monitoring

GSMA FS.07: SS7 filtering
GSMA FS.19: Diameter interconnect security
GSMA IR.82: Security SS7 implementation on SS7 network guidelines
GSMA IR.88: LTE roaming guidelines
GSMA IR.77: Inter-Operator IP Backbone Security Requirements
GSMA IR.67: DNS and ENUM guidelines for Service Providers & GRX and IPX Providers
3GPP TS 33.117, TS 33.116 or TS 33.250: Security Assurance on critical nodes

Interconnection Security | ENISA IR Team –COD1 Unit 8

5G security concerns
80.00%

71.79%
70.00%

61.54%
60.00%

50.00%

40.00% 35.90%

30.00% 28.21%

20.00%

10.00%

0.00%

The same vulnerabilities could still be present

IoT and M2M roaming would open new Diameter interfaces for interconnect

Slicing may cause interconnect to be completely redesigned

End-to-end Diameter security would break wire-compability with existing interconnect

Interconnection Security | ENISA IR Team –COD1 Unit 9

Conclusions

• Level of risk: Medium to high!

• Proper attention needed by all stakeholders
• Diameter inherited the risk
• Basic measures are in place but they are basic!
• Attacks are evolving
• 5G: A brand new threat playground?

Interconnection Security | ENISA IR Team –COD1 Unit 10

High level recommendations
EU Commission ENISA – Article13a EG
• 5G PPP (security) • Further analysis of the situation to
• Baseline security measures for identify further developments
interconnections • EU high-level guidelines to assure
• Funding to improve protection advanced protection at MS level
• Increase international cooperation
NRAs Industry
• Regularly analyze national • Operators: adopt measures to
situation and be aware of new ensure adequate level of security
developments • Standardisation bodies: Ensure
• Develop national security is properly addressed on
guidelines/minimum security the new 5G standard to avoid
measures current threats

Interconnection Security | ENISA IR Team –COD1 Unit 11

Technical recommendations

• Ensure global and exhaustive monitoring of SS7 / Diameter /

GTP
• Operators should be capable to protect against basic attacks
• Operators should adopt SS7 / Diameter firewalling
• Development of specifications and standards for new mobile
signaling elements
• Promote communication between operators’ CERTs/SOCs at
EU level

Interconnection Security | ENISA IR Team –COD1 Unit 12

Good practices

Advanced
- Redirect to captive environment
- Detect prequels to attacks
- Detect advanced attacks
- Deeply screen signalling messages

Intermediate
- Regularly perform external network security assessments
- Ensure liability and legality of responses to malicious traffic
- Analyse Interconnect messaging
- Advice carriers to adopt security options in their interconnect offers

Core measures
- Monitor all interconnect traffic
- Monitor core network elements
- Monitor outgoing traffic

Interconnection Security | ENISA IR Team –COD1 Unit 13

Thank you
PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu