While a diverse multi-dimensional range of cyber security solutions has become a mandatory requirement for enterprises’ critical data centers, the telecommunication backbone is still considered a “walled garden”. Network operators have trusted in traditional perimeter defense measures such as firewalls and also relied on the fact that their critical elements are supplied by a relatively small amount of certified vendors providing proprietary technologies.

The current transition to network functions virtualization (NFV) significantly increases security hazards and vulnerability since NFV environment is heavily based on open source software, generic operating systems, and decomposition of traditional appliances, to smaller independent software modules with autonomous intra-communication, as well as flexible design and dynamic configuration.

Dramatic penetration of the Internet of Things (IoT) services also escalates security challenges for telcos since part of these services are highly sensitive and critical (e.g. health care) and due to the enormous amount of connected devices, which loads the control plane traffic and makes detection of security breaches far more difficult.

We will demonstrate mobile networking backbone vulnerabilities and the potential damage cyber security hackers may cause in the following three scenarios:

#1 Privacy catastrophe

#2 Financial catastrophe

#3 Performance catastrophe

Telco catastrophe #1

In this scenario the attacker targets a geographic location, such as a specific neighborhood, and reveals all the subscribers located at the spot at any given time.

How were subscribers’ geographic location exposed without their knowledge?

• MME (Mobility Management Entity) holds current cell identification (eNB id) of every subscriber it serves.
• By gaining “online” access to the MME, the attacker can retrieve and maintain a list of subscribers per each of the monitored geo-areas.

How the MME was compromised?

• The attacker started with gaining access to one of the telco technician’s internet connected devices. Since the on-going work of the technician requires frequent access and permissions to core elements, fake operation on his behalf is considered to be legitimate.
• Once gaining access to the MME, the attacker implants malicious code that enables him to remotely query and receive online updates of subscribers entering and leaving locations of interest.
• Manipulated SS7 messages might be used by the attacker as a hidden, direct, and online channel to communicate with the compromised MME.

Evidence for this type of scenario was already demonstrated when cyber attackers gained access to sensitive core elements as part of the sophisticated campaign dubbed “Regin”, in which BSCs (Base Station Controllers) of a big telco were hacked, queried and manipulated.

Furthermore, regarding SS7 – its insecurity was already disclosed by several research groups that repurpose for surveillance standardized SS7 messages (e.g. rerouting of calls and SMSs). In one of the cases, the SS7 procedure called “MAP Any Time Interrogation” was maliciously reused to track locations.

NFV environment, due to its heavy dependency on IT infrastructure and derived expansion of permissioned administrators, as well as its usage of generic OS decomposed software, enrich attackers’ access surfaces and ease their mission of compromising and manipulating network elements, and therefore will require new self-learning and procedural based detection and analysis security methodologies.

Telco catastrophe #2

In this scenario, subscribers abroad that consume expensive services such as international calls or mobile internet access will be charged less (or will not be charged at all) for those premium services. When this fraud discounts or disables charging for thousands of subscribers, the financial damage for the telco’s revenues is significant.

How was valid billing discounted or discarded?

• P-GW (PDN Gateway) provides internet access to telco’s subscribers when they roam to other countries. These elements also produce and forward call data records to billing servers upon termination of each connection. This is being done per subscriber and per connection.
• Once the attacker compromises the P-GW that serves Telco’s roamers, he can implant a malicious code that drops specific, sporadic, or all generated billing records for the roamers activity and manipulate billing for that activity.

How was the P-GW compromised?

• P-GW provides mobile subscribers internet access and performs an inter-protocol processing (encapsulation) of IP packets.
• An attacker who establishes a client-server connection via the P-GW, can challenge it for vulnerabilities — either in a “live” network, or in an “offline” isolated model environment.

NFV environment, due to its inherent usage of generic operating systems as well as its built-in open source platforms and modules, will become a lot more sensitive to similar remote code, execution-based manipulation attacks, and therefore will require new, sensitive service-aware-based security methodologies.

Telco catastrophe #3

In this scenario the attacker targets a large number of sporadic calls and data connections and randomly cuts calls and downgrades rates. As a long term result, subscribers complain about poor quality of service and an unbearable gap between their service agreements versus actual experience.

How the denial of service occurred?

• eNB network element was affected as the subscribers it served were directed to an attacker’s fake cell.
• Once mimicking a valid cell and enabling strong RF signals, subscribers’ devices may switch to the fake cell and from that point be controlled by the attacker. Gaining this control enables the attacker to disconnect subscribers, slowing down their traffic rates, and denying specific services.

How the eNB was compromised?

• Setting up a fake cell is a considered as minor challenge – in some cases the telco itself offers micro cells, and in other cases purchasing and configuring the equipment is easy (as demonstrated in several academic papers and commercial articles).

Evidence for this type of scenario was already demonstrated in Vodafone’s Sure Signal femtocells. In a publicly reported case, the hackers managed to reverse engineer a Vodafone femtocell, and turned it into an interception device. This flaw allowed the subscriber’s calls and voice mails to be hacked.

NFV environment, due to its control and data separation, as well as its centralized data centers hosting distributed elements, will become a lot more sensitive to wider and software-based E-UTRAN attacks, and therefore will require new micro-segmentation behavioral analysis-based security methodologies

Anomaly detection solutions based on behavioral analysis, machine learning utilities, and deep expert knowledge of the protected LTE, network services are expected to capture a significant role in telco’s cyber security due to the technology’s ability to provide the holistic, accurate, and self-adjusted security solution that is essential in the new era.

In the three scenarios — preliminary error detection and precise root cause analysis — provided by an anomaly detection solutions would have detected:

• Out-of-order malicious SS7 messages coming in and out of the compromised MME in scenario #1.
• Cross-interface procedural inconsistency between terminated roaming EPS sessions and derived CDRs forwarded to billing systems, which are caused by the compromised P-GW in scenario #2.
• Irregular correlative traffic volume or abnormal values of specific protocol fields of S1AP interface between the compromised eNB and its serving MME in scenario #3.