Only 1 in 5 Mobile Operators Believe GSMA/3GPP Security Guidelines Cover All Signaling Threats

Firms that sell security already know about the typical weaknesses of their customers but it helps to commission independent research to convince everyone of the need to close gaps in their defenses. That was why network security business Cellusys engaged Kaleido Intelligence to survey mobile operators about signaling security, and the results make uncomfortable reading for phone users concerned about privacy, although they would not have come as a surprise to Cellusys.

Perhaps the most damning finding for the telecoms industry is that mobile operators are largely unsure of how vulnerable they remain even after they follow the best security guidance the sector has produced. 62 percent of surveyed mobile operators said they were uncertain if adhering to GSMA/3GPP security guidelines is a comprehensive solution to signaling security threats, whilst 19 percent said the standards were definitely inadequate. At the same time, a third of mobile operators are not compliant with GSMA guidelines for SS7 monitoring, a third do not comply with the GSMA guidelines for Diameter interconnect security, and 17 percent admitted they do not comply with any of the key GSMA/3GPP signaling security guidelines. It is worth keeping in mind that a phone user can be put at risk by the vulnerabilities of any of the telcos that handle their call or message.

53 percent of mobile operators said SMS spam attacks were highly frequent or very highly frequent, suggesting that SMS spam is the most common signaling-related attack. Wangiri, IRSF and spoofing were also ranked amongst the most frequent forms of attack. The interception of communications and the tracking of users were perceived to be less common, but still frequent enough that no mobile operator is going to honestly tell customers how much they are at risk.

There remains a lot of ignorance of the consequences of signaling attacks within the mobile operators that suffer them. 44 percent stated they had no estimate of the financial cost of these attacks, suggesting that a significant source of leakage remains unappreciated. A quarter of respondents refused to share their estimates of the leakage caused; my experience is that nobody refuses to divulge leakage numbers when they are low. Of the minority of mobile operators that did answer this survey question, most said their losses to signaling attacks were below USD1mn per annum, but there were several who admitted leakages had cost them over USD3mn a year.

Many mobile operators were also unable to say how often their networks had been disrupted by signaling attacks. Over a third did not know, whilst a quarter declined to answer this question. Of the mobile operators that did give an answer, the majority said they suffered network disruption at least once a month, and a third said their networks were disrupted more than five times a month.

There are many more revealing statistics in the Cellusys-Kaleido signaling security report, so the best advice is to obtain a copy from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.