Telecommunication antenna receiver on cell phone tower with 5G showing challenge of legacy signalling protocols

Legacy Signalling Protocols: The Challenge for Network Operators

Network operators across the UK, Europe and the rest of the world have, in recent years, witnessed a booming demand for network traffic, requiring minimal latency and a high Quality of Experience (QoE). Coupled with the ever-growing demand for IoT and smart devices supporting Industry 4.0 expected to become involved in many aspects of our lives over the coming years, one of the key elements to facilitate these capabilities is 5G. As the next evolutionary step from 2G, 3G and 4G, with 6G already being discussed and developed, 5G stands to reach into many aspects of our daily lives, enabling smarter and faster ways of working, whilst ensuring our everyday communications are maintained. In comparison to previous mobile network protocols, 5G promises to be faster, more accessible and more secure.

However, for network operators, this has also raised a challenge – the legacy signalling protocols are still readily used today, although security for these is limited. Whilst some network operators are considering making 2G and 3G protocols redundant and removing their support from networks, for many operators this will simply not be possible. And with these legacy protocols comes inherent vulnerabilities. These vulnerabilities are being exploited, widely and successfully, but at the same time the capabilities for monitoring and identifying this malicious activity is limited. The recent campaigns conducted by the likes of Flubot and Teapot have shown the success that can be achieved within this environment and it is likely the success will be repeated by third parties. But one of the main challenges seen in this industry at present is the lack of visibility network operators have over their signalling networks.

Within the cyber environment, operators have implemented a multitude of sophisticated solutions over the years, providing endpoint and network visibility in order to detect and mitigate cyber-attacks at the earliest opportunity. These solutions can monitor and collect data over many months, enabling threat hunting teams to identify threats within their networks and providing a good level of security to the end users, consequently supporting a high level of QoE. However, until now signalling networks have remained largely unmonitored and therefore an opportunity for threat actors to exploit a new, albeit long time standing threat vector.

Recent operations have been conducted across mobile networks extending around the globe with good success. One of the most prolific operations of this year has been named Flubot, a banking malware designed to target and exploit Android devices, before extracting the contacts from the compromised device to a Command and Control (C&C) server, enabling further propagation to these contacts via SMS. This has enabled Flubot to spread very quickly, with early indications of the malware in the United Kingdom, before spreading throughout Europe. Within months, Flubot has reached New Zealand, showing just how effective this delivery mechanism can be.

One of the key challenges with detecting Flubot is the way in which it reaches back to its C&C server. It utilises a Domain Generation Algorithm (DGA) to automatically generate a new domain name every time this connection is established, making it difficult to detect. However, once Flubot has been installed on to a device, there are a number of functions that can be utilised, including reading, intercepting and sending text messages and stealing credit card information. From a financial perspective, there is potentially a lot to be gained by the threat actor utilising Flubot, however there are also more nefarious reasons for a group to use this too. If utilised by an Advanced Persistent Threat (APT) or state sponsored criminal group, then there is an opportunity to gain intelligence and political advantage through the functionality offered by this malware.

One of the difficulties when it comes to identifying this activity, aside from the DGA, resides in the fact that signalling networks have remained largely unmonitored for many years. Whilst there are security solutions in place such as signalling firewalls, which can detect and block malicious activity, these solutions often rely on threats to have been previously identified, with specific parameters within the signalling protocols identified and utilised as a threat criteria. If this criteria is met, then it is assumed to be associated with the malicious activity and therefore blocked. However, this inevitably identifies only the ‘known knowns’, resulting in the threats which go undetected to remain operational.

The signalling network is a growing area of concern, with the National Cyber Security Centre (NCSC) releasing a summary of findings titled ‘Security analysis for the UK telecoms sector’ in January 2020. Following this document, a number of options have been considered regarding how to better protect customers utilising these services. This has led to tougher security laws for the telecoms industry, due to be implemented in the near future, which will see a much larger focus being placed on the monitoring, analysis and security of these networks.

As technologies evolve and the new legislation comes in to force, the monitoring and security capabilities previously reserved for the cyber environment will see a growing demand within signalling networks. Technologies will need to adapt to encompass the legacy protocols across 2G, 3G, 4G and 5G networks, whilst supporting mandated retention requirements as set out in the upcoming legislation.