Encryption is not the answer
I am at Black Hat this week, enjoying the summer heat of Las Vegas while enduring death by Powerpoint. It seems that SS7 security continues to be a sexy topic at hacker events still today, and encryption keeps getting tossed around as the solution to all network problems.
The reality is encryption will not prevent SS7 or Diameter location tracking, SMS intercept, or call intercept. Encryption at the MAP or AVP layers will only complicate mitigation, and create a false sense of security.
Let me explain why. The problem we are experiencing in our industry today is not that SS7 is insecure, or Diameter does not have enough security-features. Both SS7 and Diameter are simply the vehicles used to abuse network connections (or roaming interconnects as they are often called). You can put all of the security you want in the protocol, and we will still have the same problem. You can encrypt the entire packet, and we will still have the same problem.
The problem is we have operators and content providers that are selling access to their networks, which connect to the global roaming ecosystem. With that access, these operators are also selling their global title ranges. This means that a hacker can purchase a connection (using IP), and send SS7 or Diameter commands using the network ID (global titles) of the operator that sold them the access. All other networks recognize these network IDs as roaming partners, and allow the commands to enter their network.
If encryption were implemented, the hacker would still be connecting to the rogue network, who would simply authenticate the hacker, and send their traffic to its destination. This is why encryption is not the answer. As long as we have companies in the roaming ecosystem, complicit in the selling of access to the control plane, we will never be able to establish any trust zones, nor will we be able to stop the abuse.
This is why I continue to maintain that the best mitigation today is to limit the amount of access roaming partners have into the network. Rather than grant them full access to the entire network, use the gateways (STP or DEA) to enforce access policies on these partners. This will go much further in preventing network abuse than encryption, and will set the stage for the next evolution of wireless networks.
Call it access control, access management, or gateway filtering. Its the most basic of network security to restrict access to the network using what is referred to as "least access privilege," and what is missing from the wireless networks of today.
As always, the above is my own personal opinion and not necessarily the opinion of my employer.
Manager Mobile and Wireless Technology Engineering at Vodafone Cook Islands
7 年Thank you for sharing your thought on a more secured environment..
Director, Product Security at Oracle - Communications Global Business Unit
7 年Excellent points. Sometimes we look for technology such as encryption to solve problems when basic principles such as access control and least privilege are overlooked.
Senior Information Security Manager | vCISO | 5G Security Professional
7 年Maintauning proper encryption make sense in the radio part - where the access to media is not sanctioned. The only thing I would add is the basic rule for interconnect - "know your partner's services better".
Publisher and Editor of Commsrisk since 2006
7 年So true. The foxes have long been allowed to roam inside the henhouse. Better fencing only gives the illusion of security.
Technical Support Engineer | Technical Project Manager | Telco Platforms | Telco Clouds | Observability | Kubernetes
7 年Cassio Lopes