Let's Fix the Real Problem!

There has been a lot of discussion of late around security of wireless networks. It seems that researchers have turned their sights to the telecom industry (is it possible they are bored of hacking banks?). It is one thing to have a heightened interest resulting in lots of vulnerabilities being disclosed; its another situation altogether then that research leads to an incredible amount of media coverage. 

We have seen a lot of articles being written about the 'recent' research disclosed by a couple of Germans, some of it factual and a lot of it sensationalized and 'Snowden-ized' (I am coining a new phrase). Anything that sounds like Snowden disclosures around spying creates a lot of buzz and grabs lots of headlines, so let's make as much noise as we can. The truth is the current set of exploits still being bantered about in the press and in the industry is so far off-base that the industry has missed the point.

Karsten Nohl shared with CBS his ability to eavesdrop on calls, using SS7 MAP commands. Suddenly, this has become all about SS7 vulnerabilities, and in the US we are even hearing claims made 'by industry' that this is to be expected with legacy technologies that are being phased out, and not to worry because SS7 is being replaced very rapidly.

But wait a minute - SS7 is being replaced with another command and control signaling protocol called Diameter. Diameter will have to support the same basic functions that SS7 supports, namely the ability to roam, and authentication of devices in the network. So the claim that this problem goes away with SS7 is not only incorrect, but leads one to believe that the industry does not truly know and understand the real problem.

What is the real problem? The fact that Karsten Nohl was able to demonstrate his ability to eavesdrop on a Senator's calls (Senator Ted Lieu was the lucky volunteer in this case) using a legitimate network interconnection. He was in Europe when he intercepted the Senator's phone call in the US. Yet he was able to connect to the networks in the US, manipulate the profile of the Senator's phone so it would ring on Karsten's laptop first, and then complete to its original dialed destination. To be fair, Karsten is not the first to demonstrate this capability. There have been several demonstrating this same set of exploits, but none as slick with the media. 

How do they do it? Simple. The same way that every network manages the routing of phone calls when you are roaming. Through international network interconnections, commands can be sent to any network connected, to manipulate the direction of phone calls and text messages. That interconnection is no longer limited to just telephone companies. Karsten was able to purchase his own interconnection. So have many other researchers, as well as semi-legitimate companies providing an array of services.

This is really the issue at hand, and the industry is not prepared to deal with it because it is a hard problem to deal with. It requires putting controls in place that limit the amount and level of access that other networks are provided. It requires providing APIs for content providers instead of full control plane access. It requires monitoring and analyzing the interconnection links (at the least) in real-time, all the time and not just for performance on occasion. 

Some service providers are getting it, and they are putting controls in place throughout the network. They are putting more monitoring in place to increase their level of visibility, and they are looking at analytics as the next step to ensuring they can identify network anomalies. 

Others are jumping on the 'firewall' band wagon. They will later learn that a firewall is a single threaded solution, and will not solve their problem. The problem has to be solved in layers, and distributed across gateways and control functions. 

The most important lesson to be learned here is that service providers can no longer operate their networks as if we are in a trusted environment. There is no trust. As soon as IP was introduced into our networks, the doors were opened and when there is no limitation on the level of access into a network, well you get the picture. 

The industry must respond to the real problem here, and not the symptoms. The industry needs to begin policing its connections, beginning with contracts, and extending all the way to the gateways. The industry needs to increase its investment in security instead of investing only when it has to react to a headline or worse, a newscast. 

Failure to recognize the problem and treat the symptoms will lead to both regulation and legislation. This is already in the works. I have had numerous conversations around the world with both regulators and legislators, and they are taking a serious look at this problem. If the industry cannot come up with an answer quickly, government will do it for them. 

I am confident the industry will do the right thing, provided they pay attention to the real problem at hand, ignore all the hype being spewed by vendors and media alike, and do some real investing before they move to virtualized networks. The time is now! 

The above is my own personal opinion, and does not reflect the opinion or position of my employer, Oracle USA.