Firms that sell security already know about the typical weaknesses of their customers but it helps to commission independent research to convince everyone of the need to close gaps in their defenses. That was why network security business Cellusys engaged Kaleido Intelligence to survey mobile operators about signaling security, and the results make uncomfortable reading for phone users concerned about privacy, although they would not have come as a surprise to Cellusys.
Perhaps the most damning finding for the telecoms industry is that mobile operators are largely unsure of how vulnerable they remain even after they follow the best security guidance the sector has produced. 62 percent of surveyed mobile operators said they were uncertain if adhering to GSMA/3GPP security guidelines is a comprehensive solution to signaling security threats, whilst 19 percent said the standards were definitely inadequate. At the same time, a third of mobile operators are not compliant with GSMA guidelines for SS7 monitoring, a third do not comply with the GSMA guidelines for Diameter interconnect security, and 17 percent admitted they do not comply with any of the key GSMA/3GPP signaling security guidelines. It is worth keeping in mind that a phone user can be put at risk by the vulnerabilities of any of the telcos that handle their call or message.
53 percent of mobile operators said SMS spam attacks were highly frequent or very highly frequent, suggesting that SMS spam is the most common signaling-related attack. Wangiri, IRSF and spoofing were also ranked amongst the most frequent forms of attack. The interception of communications and the tracking of users were perceived to be less common, but still frequent enough that no mobile operator is going to honestly tell customers how much they are at risk.
There remains a lot of ignorance of the consequences of signaling attacks within the mobile operators that suffer them. 44 percent stated they had no estimate of the financial cost of these attacks, suggesting that a significant source of leakage remains unappreciated. A quarter of respondents refused to share their estimates of the leakage caused; my experience is that nobody refuses to divulge leakage numbers when they are low. Of the minority of mobile operators that did answer this survey question, most said their losses to signaling attacks were below USD1mn per annum, but there were several who admitted leakages had cost them over USD3mn a year.
Many mobile operators were also unable to say how often their networks had been disrupted by signaling attacks. Over a third did not know, whilst a quarter declined to answer this question. Of the mobile operators that did give an answer, the majority said they suffered network disruption at least once a month, and a third said their networks were disrupted more than five times a month.
There are many more revealing statistics in the Cellusys-Kaleido signaling security report, so the best advice is to obtain a copy from here.