Legacy technologies as a threat to EU’s telecommunications infrastructure
EU level assessment of the current sets of protocols used in interconnections in telecommunications (SS7, Diameter).
Published on March 28, 2018
Nowadays, telecommunications is a key infrastructure based on how our society works. It constitutes the main instrument that allows our democracy and our EU core values such as freedom, equality, rule of law and human rights to function properly. There are currently over 5 billion unique mobile subscribers and over 2000 mobile operators worldwide. In Europe, we have 456 million unique mobile subscribers, which is equivalent to 84% of the population.
Mobile networks worldwide are still depending on SS7 and Diameter for controlling communications (routing voice calls and data) as well as on sets of protocols that were designed decades ago without giving adequate effect to modern day security implications. In this respect, the interconnected environment has become perilous.
As today’s society is becoming more and more digital, such vulnerabilities might inhibit the proper functioning of the mobile networks, thereby impacting the operation of the digital markets. A full range of new services (e.g. cloud, financial etc.) is being developed or is relying on the primary infrastructure offered by electronic communication providers (e.g. energy, transportation, eHealth etc.).
“In this context, ENISA has developed a study, which has examined a critical area of electronic communications: the security of interconnections in electronic communications, also known as signalling security. An EU level assessment of the current situation has been developed, so that we better understand the threat level, measures in place and possible next steps to be taken,” said Udo Helmbrecht, ENISA’s Executive Director.
The most important findings of the study are:
- The first generations of 2G/3G mobile networks rely on SS7, a protocol designed decades ago without considering security. The industry and security research community has started to look into the good practices and necessary tools that are already available. Basic security measures seem to have been implemented by more mature providers, but these measures only assure a basic level of protection. Still, more efforts are needed to be made in order to achieve an adequate level of protection across the EU.
- Current 4G mobile telecommunication generation uses a slightly improved signalling protocol called Diameter. Based on the same interconnect principles, the protocol was proved to be theoretically vulnerable. The industry is still trying to understand exactly what the implications are and to identify possible workarounds. It is highly probable that in the near future we will see real attacks as well as suitable solutions becoming available.
- The new 5G mobile generation is still under development. Early releases from some manufacturers are already available, but the standards are still in their infancy. Nevertheless, there is a risk of history repeating. Given the improvements that 5G will bring – such as more subscribers, increased bandwidth etc. – having the same security risks can be extremely dangerous.
The report also makes several recommendations to stakeholders:
The EU Commission:
- Consider revising the current legal landscape in order to encompass signalling security
- Consider the adoption of baseline security requirements for electronic communications providers to include signalling security.
National Responsible Authorities:
- Regularly analyse the situation at national level and be aware of any developments that can trigger significant incidents in this area
- If necessary, consider revising the national legislation, so that signalling security is covered in terms of incident reporting and adoption of minimum security requirements.
The industry:
- Electronic communication providers: implement the necessary measures to ensure an adequate level of security and integrity of telecommunication networks
- Responsible standardisation bodies: ensure that signalling security is properly covered within the new 5G standards.
The report was developed with support from ENISA’s Art. 13a Expert Group, an informal group of EU national regulators from most of the Member States, covering security and integrity in electronic communications providers. Reaching out to EU operators has been done through them and the group members have been involved in the validation of the findings. The project is part of the overall work ENISA is delivering periodically within the Art. 13a Expert Group. Since 2010, ENISA has committed substantial resources and provided a lot of guidelines and other materials to support the EU electronic telecommunication area.
The European Commission was also involved in the study, in its capacity of policy-maker and responsible for the good implementation of the 5G PPP project.
In addition, the GSMA has hugely supported the development of the project by giving us access to specific documentation and promoting the study among their stakeholders.
The full report can be consulted here: Signalling Security in Telecom SS7/Diameter/5G
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
News items:
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RSS