The European Union Agency for Network and Information Security, ENISA, has released a research papers which highlights the security flaws of yesteryear are still a threat in the 5G world of tomorrow.
The concern is based on the idea mobile networks are still dependent on SS7 and Diameter for controlling communications (routing voice calls and data), protocols which were designed for the 2G/3G era with little attention paid to security. While there has been progress made, ENISA believes the protocols are fundamentally flawed, leaving potential vulnerabilities open on the networks of tomorrow. As connectivity is now one of the foundations of today’s economy, the consequences of this oversight could be considerate.
“In this context, ENISA has developed a study, which has examined a critical area of electronic communications: the security of interconnections in electronic communications, also known as signalling security,” said Udo Helmbrecht, ENISA’s Executive Director. “An EU level assessment of the current situation has been developed, so that we better understand the threat level, measures in place and possible next steps to be taken.”
Initial 2G and 3G networks relied on SS7, though this protocol was designed decades ago without conception of today’s threats. 4G technology uses a slightly improved signalling protocol called Diameter, which was based on the same interconnect principles, and this proved to be theoretically vulnerable. As the industry moves forward, using the same principles again could be a major issue when 5G networks become prevalent over the next few years.
The issue here is scale. As our lives become more dependent on connectivity and the digital economy, problems are compounded. A vulnerability might have led to a minor issue a decade ago, but considering the dependence we have on digital nowadays (which is continuing to increase) the issues are growing exponentially.
This is not a challenge which will be new to those in the telco space, as despite the preaching, security is still an afterthought. Various companies will claim security is top of the agenda, though few have backed up these promises with action. ENISA is now suggesting the European Commission and national regulators consider new legislation and regulation, so that signalling security is covered in terms of incident reporting and adoption of minimum security requirements.
As it stands the industry has been working to tackle the basic principles of security, which will protect an organization from basic attacks. But considering the complexity of the threats is only increasing, a trend will only get faster with the normalization of artificial intelligence, industry needs to take a much more stringent approach.