33.4k unique visitors in the last 3 days

5G Standalone Will Reduce the Security of Roaming

Whilst 5G SA offers more secure roaming in theory, the operational compromises required in practice leaves it less secure than 2G, 3G or 4G roaming.

It has been said that the road to hell is paved with good intentions. In this article, I will explain why the security of bilateral 5G standalone (SA) roaming connections has been undermined by GSMA’s hosted Security Edge Protection Proxy (SEPP) model, by operational and service considerations, and by the dependency on 2G‑4G roaming value added services from IPX providers and roaming hub providers.

Given the continuous flow of security incidents in 2G, 3G, and 4G mobile systems and the growing dependency on mobile communications in digital transformation, 3GPP made a radical change for 5G with their mission of Zero Trust Architecture (ZTA) or ‘security by design’ principle with the standardization of the 5G System. This involves a significant shift in existing telecommunication practices, far beyond merely adopting a new technology paradigm.

The initial 3GPP approach for 5G SA roaming was well thought out. It is based on a simple end-to-end connection model between adjacent roaming partners, similar to the client-server model used in IT systems and the internet. Using the TLS (Transport Layer Security) protocol, bilateral 5G SA roaming associations can easily ensure confidentiality, authenticity, and integrity protection. This secures the HTTP/2 roaming control signaling messages over the N32 interface, encrypting them between the SEPP functional entities at both ends. The following diagram depicts this straightforward model for bilateral 5G SA roaming connection between two 5G Core networks as adopted by the GSMA as the Direct TLS model.

Direct TLS model for 5G roaming (reference GSMA NG.132 Figure 6)

The end-to-end encryption of N32 roaming control messages is ideal from a security perspective. It ensures that sensitive parameters, such as authentication vectors, are fully protected throughout the entire transmission. This prevents local mobile operator-specific information from being intercepted, as the vectors could be exploited by attackers to gain unauthorized access to radio links. Such access could lead to eavesdropping on conversations, blocking radio access, or other misuse of radio resources. Additionally, privacy and tracking vulnerabilities arise if the identities of roaming users and their locations are exposed.

However, in practice, this simple bilateral 5G SA roaming model comes with numerous operational and service challenges that are only workable under the following conditions.

  1. Operational Complexity — A direct operational contact and contractual relationship are needed between both roaming partners for each 5G SA roaming interconnection.
  2. Network Monitoring — Systems at both ends need to be integrated within the closed security association of the end-to-end protected 5G SA roaming interconnections.
  3. IPX Service Providers — The role of these intermediate services becomes restricted to simple IP routing and QoS transport services due to the end-to-end encryption of the 5G SA signaling messages.

This creates a number of principal disruptions of the existing roaming service practices in 2G-4G that are further discussed below.

Disruption 1: Operational Complexity

Direct operational contact and a contractual relationship are prerequisites for exchanging security keys for end-to-end cryptographic information transfer. Unlike the internet, there are no Certificate Authorities (CAs) recognized by the GSMA as universally trusted for all mobile operators or for operators in different geopolitical regions. This adds a critical layer of complexity to operations, in addition to signaling interworkings (IP, TLS, and N32), Roaming Value Added Services, SLAs, SLOs, and guarantees for bandwidth and latency for each bilateral 5G SA roaming interconnection.

Disruption 2: Network Monitoring

These systems are essential for the operational staff of each mobile operator to ensure the proper functioning of the bilateral roaming connection and to detect irregularities, including security and fraud incidents. With encrypted N32 signaling transfer, monitoring systems must be integrated with the SEPPs or other 5G Core functional elements to access the unencrypted content of the signaling messages.

Disruption 3: IPX Service Providers

In the current 2G-4G roaming ecosystem, IPX service providers offer services such as KPI service level statistics and billing for sequences of SS7 and Diameter signaling messages. However, for bilateral 5G SA roaming interconnections, the role of IPX service providers is reduced to IP routing and QoS transport due to the end-to-end encrypted N32 signaling transfer.

Given the above disruptions of existing roaming service practices, initial deployments of 5G SA Roaming show that some mobile operators are already compromising the security of their bilateral 5G SA Roaming interconnections.

Compromise 1: Hosted SEPP to Simplify Operational Complexity

Given the complexity of operating a SEPP with all the individual roaming connections and cryptographic hassle, outsourcing is very attractive. Although the Hosted SEPP is defined by the GSMA and promoted by Deutsche Telekom as part of their Magenta Security Roaming offer, this deployment model violates the end-to-end security model as defined by 3GPP because the N32 roaming control messages are given in the clear to the hosted SEPP provider. This makes each hosted SEPP provider an interesting attack target as a honeypot. In this regard, we may remember the 5-year data hack at Syniverse.

Compromise 2: Disabling TLS to Ease Network Monitoring

Several cybersecurity firms report that mobile operators don’t use TLS on their N32 interfaces, leaving all HTTP/2 signaling messages unencrypted and sent in the clear. Although this practice is common for 2G-4G roaming with the SS7 and Diameter signaling messages in the clear, it must be considered that 5G is far more vulnerable to attacks than 4G given the technological openness of the 5G systems, the adoption of the internet protocol stack for 5G, and the cloud-native solutions for 5G. Consequently, not using TLS is a very bad idea and looking for trouble.

Compromise 3: RVAS Outsourcing to Specialized IPX Providers

In recent decades, the worldwide roaming ecosystem has greatly expanded, and roaming services have become more advanced. IPX providers have stepped in to offer Roaming Value Added Services such as Steering of Roaming (SoR), as an outsourcing alternative, particularly for smaller mobile operators and new entrants. A few IPX providers have become Roaming Hub providers, acting as intermediaries for end-to-end roaming associations between mobile operators without direct roaming contracts. Roaming Value Added Services could easily be added to the 2G-4G roaming ecosystem because the SS7 and Diameter signaling messages are exchanged in the clear, allowing them to be monitored, modified, and rerouted during transfer between roaming partners.

Conclusion

The security of the initial bilateral 5G SA Roaming connections seems far less robust than the security of 2G-4G roaming connections. Disabling TLS would even be a step backward, making 5G SA roaming less secure than before, despite the good intentions of 3GPP’s theoretical ‘security by design’ approach. As subscribers are normally unaware of these risks but can be harmed even if not roaming, it should be hoped that regulators will not accept any security compromise of their national mobile operators for the bilateral 5G SA Roaming connections with foreign mobile operators.

References

The overall guidelines and background information on this topic are documented in the GSMA report NG.132. Further guidelines for 5G SA Roaming are documented in other GSMA documents such as:

  • NG.113 — 5GS Roaming Guidelines with details about the deployment variants;
  • IR.67 — DNS Guidelines with the procedures for automated SEPP discovery;
  • FS.34 — Key Management with the procedures for certificates and key materials; and
  • WA.51 — 5G SA Implementation Guidelines with the commercial guidelines for 5G SA.
Pieter Veenstra
Pieter Veenstra
After a distinguished career in leading roles within the telecom industry, Pieter now serves as an independent expert in routing and security. He is an advisory member of CPaaSAA, a partner of i3forum, and a guest lecturer for MSc courses at the Technical University of Delft. Throughout his career, Pieter has contributed significantly to the field, publishing articles, and chairing various working groups in ETSI and GSMA. His contributions include serving as the Chair of the GSMA Roaming and Interconnection Fraud and Security working group and editor for detailed technical specifications such as the GSMA PRD FS.40 - 5G Security Guide. He also currently contributes his insights to the i3Forum Technology working group and the One Consortium Restore Trust initiative with GIRAF. His goal it to help the community converge on practical and effective solutions for CLI data protection. See Pieter's LinkedIn profile here.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email