20.5k unique visitors in the last 3 days

US Claims Progress with Tightening Diameter Security

Lisa Fowlkes of the FCC's Public Safety Homeland Security Bureau says US wireless telcos are proactively improving the security of Diameter signaling.

The issue of signaling security rarely receives much public attention, but a recent announcement from the Federal Communications Commission (FCC), the US regulator, states American telcos have made “significant progress in addressing risks associated with the Diameter protocol”. The press release, which referred to the Diameter security recommendations of the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC), saw FCC Chairman Ajit Pai “commend the providers that have already implemented these measures and urge those with work underway to complete this important effort”.

The announcement went on to present a positive picture of how the US telecoms industry has responded to the potential threat. Lisa Fowlkes, Chief of the FCC’s Public Safety Homeland Security Bureau (pictured) stated the Bureau has…

…been reaching out to wireless providers to determine how they have responded to CSRIC’s recommendations for reducing Diameter related security risks. We found widespread adoption across the industry, with implementation of these measures either completed or underway by most providers.

A 2018 CSRIC report highlighted that Diameter was likely to suffer similar vulnerabilities to SS7, but that the exploitation of these vulnerabilities would probably require further development by bad actors because Diameter’s adoption was relatively recent. Nevertheless, the onus was on the telecoms industry to identify and mitigate threats before they were exploited.

The use cases found in SS7 may exist in Diameter as well, namely: location tracking; voice/SMS interception; subscriber denial of service (DoS); and account fraud/modification. In addition to these use cases, the Diameter protocol may be used for the interception of user data sessions. Previous research exposed the GPRS Tunneling Protocol (GTP) to be vulnerable in 3G networks, but the functions provided by GTP have been replaced by the Diameter protocol in 4G. The Diameter protocol also introduces the potential to spoof the identity of networks due to the way Diameter routes commands from hop-to-hop, which is unique to Diameter.

Nation states are considered to pose the greatest potential threat, because of the resources they might deploy when seeking to find holes in the security around Diameter. The FCC’s desire to tighten Diameter security may be linked to increasing concern that China is using its telecommunications industry to steal intellectual property and spy on other governments.

Commsrisk has published a number of articles about signaling risks over the years and consequently highlighted how telecoms risk vendors like Mobileum have prioritized the addition of signaling firewalls to their portfolio of products. AdaptiveMobile Security announced they had identified real-life Diameter attacks as early as February 2018, and there has since been an intensification of interest in Diameter security.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email