Telcos often lack the time and expertise to vet security testing businesses, and the GSMA should step in by developing an accreditation scheme for independent firms who would test the effectiveness of SS7 firewalls, according to a new article from world-renowned security expert Karsten Nohl. Writing for the website of one of the businesses he founded, Security Research Labs, Nohl observed:
To configure their firewalls correctly, telcos rely on interconnect pentests to find and close gaps.
This specialized telco security assessment simulates real-world attacks against crucial network interconnection points. Unlike a typical IT security scan, it targets vulnerabilities of telecom signaling protocols to uncover weaknesses that could lead to subscriber tracking, call or SMS interception, service disruption (denial of service), or fraud.
However, proper testing has not been performed as often as it should because penetration tests are only meaningfully conducted by people working outside of the telco being tested. The leasing of Global Title (GT) has been a hot topic recently, and Nohl is conscious that robust penetration testing would involve allowing legitimate security firms access to SS7 while seeking to deny access to the businesses that currently abuse it.
SS7 firewall tests need to be executed from a hacker’s perspective: From outside the target network, and possibly without roaming agreement privileges. This requires SS7 network access (GT leasing).
The GSMA code of conduct rightfully calls for “alternative solutions [to] be used to replace GT Leasing”. Unfortunately, no alternatives exist for SS7 security testing, which needs to mimic malicious actors with direct SS7 access. Some ethical hackers had to go as far as to become telcos with their own GT allocation. They now play a vital role in securing the signaling ecosystem.
A related point was made in a recent Commsrisk article by Stephen Ornadel, leader of the GSMA’s Global Title Leasing Task Force. Stephen noticed the following issue while commenting upon the detail of new GT rules imposed by Ofcom, the UK comms regulator.
…about creating GTs for penetration testing, Ofcom state that they would “need to consider whether the application met our eligibility criteria for the allocation of mobile numbers for use as part of a mobile service”.
I hope they do receive such requests and I will certainly be pushing this point within the GSMA. However, I do not believe Ofcom’s current rules would actually allow them to allocate numbers so security companies can have new GTs.
Nohl believes there is a need to progress beyond simple restrictions that affect the work of responsible security testers more than they impede bad actors.
Evidence from IT security shows that malicious hackers have strong motivation and resources to circumvent rules, while white hats stick to them. A general rules-based embargo on GT leasing impacts mostly white hat security experts, not criminals, and possibly makes their work easier by allowing security defects to persist due to the lack of testing.
We need a vetting scheme to certify GT leases for security testing. The GSMA code of conduct calls for “due diligence” on the commercial and technical details of each GT lease. This is the right direction, but it leaves the responsibility with individual operators, who often lack the time or expertise to vet security service providers.
Instead, the GSMA and its working groups have this expertise, and they should introduce a vetting scheme for Interconnect Security Assurance providers. Such accreditation schemes have been successfully introduced in IT security, notably through the CREST certification for IT security test providers, mandated for security testing on critical infrastructure.
Nohl’s article finishes for a plea with for more collaboration in security testing of comms networks in order to protect consumers from harm. It echoes the themes of a recent anti-fraud ‘call to action’ video (pictured) that was shared by Nohl through his Hacking Matters YouTube channel. However, it is easier to ask for collaboration than to deliver it. The devil is in the detail with proposals like these. Nohl makes a persuasive argument, but I expect there would be resistance from some businesses with a genuine desire to improve security as well as from the usual suspects.
Nohl’s article about governing the ethical hacking of SS7 can be found here.



