New Paper Explains How to Secure SMS in the 5G Era

AdaptiveMobile Security has published a white paper entitled “Messaging for the Future: Securing SMS in 5G” which explains why 5G networks will be at increased risk because of the interplay between the way SMS messaging has been implemented and the manifold vulnerabilities inherited from earlier generations of network. The paper makes many recommendations about how to shore up the defenses surrounding SMS messaging before telcos suffer even worse abuses than those which hit the headlines throughout 2021.

A key issue is that SMS will remain popular for the foreseeable future because it can be used to reach all mobile phones and because businesses and governments will drive increased growth in application-to-person (A2P) SMS traffic. The number of person-to-person SMS messages are in overall decline but the rise in revenues from A2P SMS messages means they have become an increasingly important determinant of a telco’s profitability. However, SMS is built upon legacy technology, meaning there are security risks that stem from both this legacy and its use within the context of 5G.

As we enter the next generation of 5G mobile networks it is important to note that SMS retains and requires legacy technology, which must be integrated with the new technologies 5G brings to the mobile network. Thus, this makes SMS’s security considerations for the previous generations of mobile networks just as important for 5G. Attackers will use various techniques to penetrate networks and test network weaknesses at various entry points until they are successful in their mission.

…Even with new standards and specifications, the security in 5G is not completely ‘built-in’, and lessons from the vulnerabilities of previous mobile network generations must be learnt and applied to secure the future of SMS mobile messaging in 5G.

I spoke to Cathal Mc Daid, CTO of AdaptiveMobile Security, about the need to publish this new white paper when SMS is such an old product. Cathal emphasized that 5G is really complicated, and that the effort that telcos will need to put into identifying and addressing all of the potential security gaps will be an order of magnitude worse for 5G than for previous generations of networks. He drew particular attention to the extent to which future SMS messages will be both sent and received by machines, with little or no human involvement. Telcos often rely on their human customers to notify them of spam messages, attempted frauds, numbers used by criminals and so forth. If no human user is involved in the exchange of messages, and machines send many more messages to each other, then telcos could suffer much larger losses before anyone recognizes that a vulnerability has been systematically exploited. The current focus on deploying 5G networks could mean even less attention is paid to knock-on consequences of changes that will exacerbate weaknesses that have long been ignored.

The structure of the paper reflects the differences between the three different ways text messages can be sent using 5G’s service based architecture:

  • SMS over Non-Access Stratum (NAS), also termed SMS over NAS or SMSoNAS
  • SMS over IP using IP Multimedia Subsystem (IMS), also termed SMS over IP or SMSoIP
  • SMS using Rich Communication Suite (RCS) messaging

It should come as no surprise that knowing which network nodes are utilized by each approach is vital to understanding how to secure SMS messages. There is no point in trying to repeat the detail for this article; the contents of the paper show there are too many distinct ways SMS messages can be handled by telcos to permit useful generalizations about vulnerabilities. What struck me is how the risks relating to SMS suffer from combinatorial complexity that multiplies with each new generation of network. I had a decent grasp of the systems involved in sending and receiving SMS messages when 3G was still new. That was 20 years ago. Security professionals now need to be conscious of the interplay between systems where a 5G architecture must be compatible with the way SMS messages are handled by 4G, 3G and 2G.

The paper identifies the types of attack that involve SMS and various ways of mitigating each type of attack. Types of attack include: unsolicited SMS messages, SMS phishing, premium SMS fraud, mobile malware, spying, interception of SMS messages, denial of service, and abuse of gray routes. The authors also identify some new kinds of risks made possible by the combination of SMS and the latest generation of networks. However, the key question, as Cathal put it, is “where does SMS fit into a 5G security strategy?” Telcos may have previously underestimated the risk of SMS services being abused, as evidenced by the Flubot SMS messages received by millions of phone subscribers across various countries, and the number of telcos that lacked the technology to purge the messages as soon as that scam became prevalent. 5G raises the stakes for security because it adds another layer of risk to businesses that already have many gaps in their defenses. Cathal’s hope is that this paper will remind telcos of the importance of SMS as a product whilst also showing them how to systematically address the growing number of interfaces that bad actors could use as entry points.

I also asked Cathal if his thinking about how to secure networks had been influenced by Enea’s acquisition of AdaptiveMobile earlier this year. Cathal affirmed that the deal resulted in synergies that would lead future networks to be more secure. It is vital that networks are secure by design, and this should never be taken for granted, as reiterated by a damning German analysis of current 5G Open RAN standards. Whilst AdaptiveMobile complements Enea’s philosophy of building security into their network functionality, this does not change how much AdaptiveMobile still needs to advise telcos about gaps in their existing security armor, or demand for the firewalls that are central to AdaptiveMobile’s portfolio.

“Messaging for the Future: Securing SMS in 5G” is an excellent piece of work. It gives a refreshingly straightforward description of how technology works and can be subverted, but the level of detail means it is not a quick read and cannot offer the kinds of token platitudes that bluffers might prefer. The paper provides a genuinely useful precis of how telcos should assure themselves they have tackled the risks surrounding 5G and SMS, and does not spare the reader from being shown all the hard work required. You can download AdaptiveMobile Security’s paper by registering your details here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.