Urgent Security Advances Needed to Trust Mobile Caller IDs

By Pieter Veenstra
Risk, Fraud & Security

It is a false claim of the mobile industry that the risk of fake mobile caller IDs will disappear over time. Roaming security advancements are urgently needed to protect subscribers against the sophistication of CLI spoofing tactics for robocalls and fraud attacks, despite mobile operators claiming improved trustworthiness of the mobile caller ID for voice calls made in foreign networks.

While CLI spoofing tactics are often associated with calls by roaming users, the issue is relevant to all mobile subscribers, regardless of whether they are roaming. The attacker’s goal is to deceive the target by using a known mobile caller ID, prompting the victim to answer. Roaming services are simply a means to stealthily manipulate the CLI due to their susceptibility to tampering.

In 2G/3G networks, voice calls by roaming users start in the visited foreign mobile network. When the destination is abroad, typically when calling home, these calls will enter the home country with CLIs in the home country’s numbering plan. This is typically for calls by roaming users, as international calls normally arrive with CLIs from foreign numbering plans. This is a vulnerability. Attackers exploit this anomaly to trick victims into answering falsified calls containing the mobile caller IDs of relatives, friends, etc.

In 4G and 5G networks, voice calls have become data sessions. With VoLTE and 5G roaming between visited network and home network, these sessions are selectively forwarded to the IP Multimedia Subsystem (IMS) in the home mobile network. First in the IMS in the subscriber’s home country, the data sessions become voice calls, thus no longer routed as international calls via international carriers.

From the above, mobile operators suggest that in a world of only 4G and 5G networks, the risk of misuse of the caller ID of mobile numbers can be fully mitigated. However, this is purely theoretical, because the preconditions are far from perfect, thus leaving room for continued fraudulent abuse. This article will only explain the detail for vulnerabilities concerning voice calls, but similar issues apply to the reliability of the mobile caller ID in SMS messages.

VoLTE Roaming

The shutdown of 2G/3G networks in the US sparked the migration from vulnerable 2G/3G roaming connections with SS7 signalling to the Diameter-based VoLTE roaming links between 4G networks. Developing countries in particular are not prepared for this migration as it needs a 4G core network with an IMS service platform, as well as VoLTE-ready phones and IoT devices. Also, loosely specified interworking solutions leave room for abusive manipulation of the CLI between the visited network and the interworking function.

5G Roaming

Voice calling in 5G works as in 4G; the call by a roaming customer is transferred as a data session to the IMS in the home mobile network. In most countries, the 5G service is next to a 2G or 3G service for many years. Downgrading attacks exploit the phone/device falling back to 2G or 3G. This can occur for voice calls when there is limited 5G radio coverage, when forced by a service, or as part of a fraudulent action.

CAMEL

This SS7-based signalling control protocol enhances roaming in 2G/3G to forward calls by roaming users to the home network and by creating the ability to remotely block fraudulent voice calls. However, not all mobile networks worldwide support CAMEL. It is very unlikely CAMEL will be implemented in more networks as it typically refers to legacy 2G/3G networks with technological constraints and there is an unwillingness to invest in legacy technology.

Other Bypass Techniques

Despite the above roaming mitigation solutions, there are complementary situations that are not controllable via these mobile network solutions. These permit potentially abusive bypass techniques like:

  • The GSMA has identified security risks due to the coexistence of 2G-5G roaming as interworking solutions are specified in less detail than the individual 2G-5G systems. These loosely specified interworking solutions are frequently exploited for fraudulent activities.
  • Fragmented national coverage of 4G/5G and parallelism with 2G/3G is a risk for downgrading attacks whereby security enhancements in 4G and/or 5G are bypassed.
  • Over-the-top voice applications offer many bypass options. A typical example is the Skype Out service that allows subscribers to configure a mobile number as caller ID, which is included in the CLI of the outgoing VoIP call and presented to the called party. These services are popular for spoofing attacks, due to limited authentication controls.
  • Unified Communications (fixed/mobile) and call forwarding services allow for scenarios whereby mobile caller IDs are included in outbound calls without direct control by the mobile operator, and screening for manipulated CLIs by the fixed network is not guaranteed.

The above considerations point to a principal security problem with an existing ecosystem that is vulnerable and which cannot be isolated or disabled. The risk will thus persist for years, and potentially without end. It will remain a common thread for the meshed, globally interconnected mobile networks.

Attackers are adept at exploiting these techniques. And given the international nature of the criminal industry, they can easily shift their activities to countries where corner cases and bypass techniques are still viable.

The most dangerous risk arises when bypass mitigation solutions are successfully bypassed and calls with false CLIs are classified with trusted mobile caller IDs. This is a known ‘garbage in, garbage out’ issue in STIR/SHAKEN that often causes more confusion among customers than without.

Concluding Remarks

  • While mobile operators are reducing the attack surface with new roaming advancements, they will not be able to guarantee the authenticity of the mobile caller ID of all calls, given the many bypass techniques via the heterogeneous worldwide roaming system. This includes the potential misuse of subscribers’ mobile caller IDs served by their latest 5G networks.
  • The declining volume of inbound international calls with a local mobile caller ID won’t impede scams with the wide variety of backdoors. Both international carriers and terminating networks require continued robust detection rules for inbound international calls to combat CLI spoofing of local mobile caller IDs and protect subscribers effectively.
  • The industry could explore opt-in registries, allowing customers to specify their roaming status. Inbound international calls with mobile caller IDs will be blocked automatically unless customers indicate they are roaming. This proactive self-protection mirrors practices offered by financial institutions for credit/debt cards, enabling customers to safeguard themselves against potential misuse of their financial services.
Pieter Veenstra
Pieter Veenstra
After a distinguished career in leading roles within the telecom industry, Pieter now serves as an independent expert in routing and security. He is an advisory member of CPaaSAA, a partner of i3forum, and a guest lecturer for MSc courses at the Technical University of Delft. Throughout his career, Pieter has contributed significantly to the field, publishing articles, chairing various working groups in ETSI and GSMA, and serving as an editor for detailed technical specifications such as the GSMA PRD FS.40 - 5G Security Guide. See Pieter's LinkedIn profile here.

Related Articles

Get Our Weekly Newsletter by Email

Articles copyright © the author, all else copyright © Revenue Protect Limited