Some Telling DevelopmentsPosted May 2018
In the US, the SS7 hacking of a prominent US Congressman’s mobile live on television’s 60 Minutes programme did more than just raise the awareness of the security weakness, it led to direct government interest and action.
First, the Federal Communications Council (FCC), an independent Government agency, produced a report which acknowledged the threat and made a series of recommendations, one of which was that operators employ signalling firewalls to prevent attacks and protect their networks. That report was then followed by one from the Department for Homeland Security (DHS) which has also published its study on mobile device security.
The DHS report highlights the reliance on mobile devices and networks across all branches of Government in the USA. It also flags that the typical use of these devices lies outside traditional protected government networks. And although the US Government and its agencies can be regarded as a major customer responsible for hundreds of thousands of mobile devices in a global industry – with approaching 5 billion mobile subscribers worldwide – the government has an insignificant market share and its buying power cannot be used to influence market decisions.
The DHS report is full of suggestions and advice for the carrier community – asking operators to perform vulnerability checks, implement monitoring systems and carry out continuous assessment and protection – quoting the GSMA’s FS11 standard as good practice. The report also says that in order to fully protect the nation’s interests and maintain security, the government should consider both legislative and regulatory authority and powers to safeguard the US mobile network. The report says that the default level of security on devices, optimized for consumer ease of use, is 'not appropriate for federal employees'.
The DHS worked with another Government body, the National Institute of Standards and Technology, to assess the threats to both devices and network infrastructure. Although it believes some improvements have been made, it is by no means satisfied that enough has been done.
The DHS is worried about advanced nation state attacks, organized crime using advanced fraud techniques, call interception, monitoring and location tracking. It acknowledges that many of these threats apply to consumers as well as federal employees and the network operators themselves.
The report specifically calls out weaknesses in SS7 and Diameter signalling which it says cannot be solved by tightening security on mobile devices. With an eye to the future, the DHS also calls for significant research into hardening 5G networks currently in development.
There’s no doubt that the FCC, DHS and NIST are looking to increase the pressure to act on the US operators. Indeed, one of the report’s recommendations is that Government organizations buying mobile services should include ‘requirements that carriers mitigate against SS7/Diameter threats and other monitoring, tracking, invasion of privacy and denial of service vulnerabilities’.
In its conclusions, the DHS says it needs the proper resources and authority to address these serious challenges to the security and resilience of the nation. Of course, operators will be wary of over-regulation, but the signs seem clear. Government agencies believe it is time to consider a move away from persuasion and towards enforcement when it comes to mobile network security – and that’s a telling development.