When you travel between countries, the mobile operators that temporarily provide service to your phone need to communicate with your operator back home. This is done over a global interconnection network where most traffic still uses an ageing protocol, called SS7, that's known to be vulnerable to location tracking, eavesdropping, fraud, denial of service (DoS), SMS interception and other attacks.
With the advance of Long-Term Evolution (LTE) networks, some roaming traffic is switching to a newer protocol, called Diameter, that's more secure than SS7 in theory, but which still allows for attacks if it's not deployed with additional security mechanisms.
For example, the Internet Protocol Security (IPsec), a secure communications suite that works by authenticating and encrypting each IP (Internet Protocol) packet, has been standardized for Diameter. But while its implementation is mandatory, its use is optional.
In practice, IPsec is rarely used on the global interconnection network for various reasons and this means that many of the attacks that are possible with SS7 are also possible or have equivalents in Diameter, according to researchers from Nokia Bell Labs and Aalto University in Finland.
The researchers ran experiments on a test network set up by an unnamed global mobile operator and simulated attacks launched from Finland against U.K. subscribers. They found several methods of disrupting service to users, temporarily and permanently, and even a method that could affect important nodes that provide service to entire regions. The results were presented Friday at the Black Hat Europe security conference in London.
First off, attackers would need to gain access to this private interconnection network (IPX) in order to attack another operator's systems or subscribers. However, this is not hard to achieve, as multiple incidents have shown in the past, and there are different ways to do it.
Attackers could, for example, pose as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by existing operators, some of which are, sadly, accessible from the internet, when they shouldn't be.
If the attacker is actually a government, it could leverage its power over local operators to gain access through them. And if that doesn't work, bribing an employee from an operator is also an option.
Finally, access could be bought from other hackers that already have it. There have been services on the "dark" market that sold access to this network and there will probably be more in the future.
An operator's LTE network is made up of cell towers; nodes called MMEs (Mobility Management Entities) that provide session management, subscriber authentication, roaming and handovers to other networks; and a home subscriber server (HSS), the crown jewel that holds the master subscriber database. At the edge it has Diameter Edge Agents (DEAs), which serve as links to the interconnection network via IPX providers.
Sign up for CIO Asia eNewsletters.