Skip navigation
Like what you’re reading?

Safeguarding telecom networks against advanced threats with Ericsson’s cyber defense solutions

5G is the most secure wireless technology compared to previous network generations, making false base station attacks difficult. However, advanced false base station attacks may utilize a compromised roaming partner, exploiting the trust relationship with the attacked mobile network.

Technical Product Manager

Strategic Product Manager

Technology Director

Safeguarding telecom networks with Ericsson’s defense

Technical Product Manager

Strategic Product Manager

Technology Director

Technical Product Manager

Contributor (+2)

Strategic Product Manager

Technology Director

With each new generation of mobile network standards from 3GPP, the subscriber privacy and security has improved extensively with 5G SA implementing many learnings from past weaknesses. These have been covered in previous blog posts [1]. However, most of the mobile devices still support all earlier standards and thus can be exploited even if the network is updated to latest standards. Network has good mitigation capabilities for downgrading mobile devices to earlier generations making attacks much harder to perform. But well-funded and capable threat actors may use new advanced methods to compromise subscribers. We have also discussed the benefits of a false base station detection solution and how it can be implemented [2].

An advanced variant of the false base station attack is where an attacker has access to a mobile network with a roaming agreement with the target network. To achieve this, an attacker must compromise a mobile network, work in cooperation with that service provider, or pretend to be the network by accessing the roaming interconnect network and spoofing the request origin. The attacker using the false base station, gains network access beyond their licensed geographical boundaries.

Thus, network roaming and interconnect security are important when protecting subscriber privacy. We previously discussed how an adaptive security strategy for signaling, utilizing signaling firewall protection and continuous security monitoring, can protect mobile networks and subscribers from signaling threats [3].

Let’s look at how these elements come together to form a comprehensive end-to-end solution against threats to networks and subscribers, such as false base station attacks.

Ericsson’s telco-grade cyber defense solution

As the attack exploits several telecom protocols, the solution also needs to cover all relevant aspects. Ericsson’s solution consists of the following components:

  • Detection of false base stations
  • Ensuring preventative security configuration related to the attack
  • Prevention of exploiting roaming protocols
  • Detection of malicious signaling traffic

Parts of the attack can be either prevented or made more difficult to succeed by applying the correct configuration in the related security settings. Security management provides the capability to check the related controls and even enforce correct settings.

Network intelligence is utilized for detecting all kinds of false base station attacks. This has been covered in a previous blog post [4]. The Ericsson solution utilizes user equipments (UEs) as sensors and identifies anomalies in the observed network identities using unique algorithms. Ericsson base stations have special UE measurement collection capabilities that are designed specifically for detecting anomalous cells in networks.

Comprehensive telecom security solution: Ericsson's approach to addressing multi-protocol attacks, detection of false base stations

To complement the standardization in the 3GPP releases for 4G and 5G, Ericsson provides capabilities such as the Ericsson Security Manager (ESM) and Ericsson baseband (RBS) components for RAN products. These capabilities aim to enhance our customers' security posture by better protecting the network and detecting RAN-specific threats. Together these capabilities constitute the Ericsson RAN security threat detection solution for identifying false base stations. This is a software-only automated detection solution, that provides efficient and precise alerts. It offers improved visibility and continuous threat monitoring, which enables service providers to take measures to prevent potential service loss, breach of subscriber security, and the regulatory fines and reputational (brand) damage that could result from a successful attack.

RAN Detection

Automated security configuration

Considering the complexity and dynamicity of networks, a good starting point to mitigate advanced telecom threats is to automate the security configurations for all layers in the network. With automation, security is set up efficiently and consistently at deployment, and deviations from expected settings can be automatically detected and reported by continuous monitoring during run-time operations. In addition, with automation, the continuous improvement of security countermeasures implemented in the network will more naturally follow the evolution of the threat landscape.

The 3GPP standards for 4G and 5G include relevant security features for the protection of signaling and user planes for RAN, core, and roaming interfaces. However, most of the features are optional and are only enabled in case the mobile service provider’s security objectives and risk tolerance demand so.

In 4G and 5G, non-access stratum (NAS) and radio resource control (RRC) signaling integrity are mandatory features. User plane integrity & confidentiality, NAS signaling confidentiality, AS signaling integrity & confidentiality, RRC confidentiality, use of IPSec and use of TLS for SBI interfaces are all recommended but optional features. All these feature configurations should be continuously monitored against the mobile service provider’s security baseline.

4G networks maintain various mechanisms to make false base station attacks harder, such as the failover mechanism to redirect UEs to 2G networks. False base stations may exploit this mechanism to evade the 4G mutual authentication process and connect UEs to 2G false base stations. Mobile service providers may deploy a network policy that tries to prevent UEs from accepting unsecure RRC redirection commands before the completion of mutual authentication. Security configuration automation can activate this policy, hence mitigating the false base station risk.

The capabilities discussed above are supported by automated security configuration with Ericsson Security Manager.

Telecom security control

Signaling firewall

Implementation of security policies reflecting roaming partner trust relationships should be done on the roaming interfaces, in accordance with, for example, GSMA FS.19, diameter interconnect security, with a signaling firewall like Ericsson Unified Signaling Firewall (4G), supporting also the SS7 and HTTP checks.

The unified signaling firewall (USFW) performs security checks on SS7, Diameter and HTTP messages sent from an external network to the service provider’s home network. The USFW can be configured to report, reject, or drop messages that fail the security checks. Roaming traffic on SS7, Diameter and HTTP interfaces requires special attention from a security perspective. Roaming traffic originates outside of the service provider’s network and can potentially be the source of fraud. Even if the service providers maintain a high-security standard in their network and prevent connections to untrusted signaling nodes, it can be observed that harmful traffic is injected via the roaming interfaces. The USFW provides protection from fraudulent messages aiming to modify the location information of a subscriber or influence the subscriber state in an unwanted way. A malicious location update is part of the kill chain for other attacks, such as fraud, call intercept, and denial of service. The USFW is typically embedded in a DSC and/or SEPP node being the central point of contact for all roaming traffic. Alternative deployment options include USFW as the recipient of copied messages to monitor the signaling traffic and report events. The USFW comes with an impressive set of pre-configured security checks which enables fast deployment of the USFW in the network.

With velocity (time-distance), checks for subscriber locations received in messages are performed. Mobile country codes (MCC)/ mobile network codes (MNC) received in those messages is compared to the MCC and MNC of the last known subscriber location. Subscriber movements exceeding a speed of 1000 km/h are reported as security events.  This check requires that the USFW has previously recorded a location event for the corresponding subscriber.

Unified signaling firewalls

The velocity (time-distance) check can be enhanced with an active location retrieval. Triggered by a location event the subscriber location can be queried with a signaling procedure from the subscriber’s home network. The active location retrieval procedure enhances the quality of the time-distance check and gives a clear indication when an illegal location request has been observed. It can be configured per roaming partner if an active location retrieval shall be triggered. The activation per roaming partner ensures that the increase in signaling load levels are limited.

Telecom signaling intrusion detection solution

Implementing a signaling intrusion detection solution provides visibility and control over signaling threats, including advanced threats that are hard to detect with a rule-based signaling firewall. It complements a signaling firewall to detect advanced threats, powered by a large ruleset and AI/ML models. Such solutions identify unexpected threats by tracking all signaling messages over an extended period and correlating among those to detect new attack patterns. A signaling intrusion detection solution also utilizes threat intelligence to monitor advanced persistent threat actors and enables the identification and prompt response to their attack attempts.

Ericsson’s partner product telecom intrusion detection system (TIDS) [5] offers several key capabilities to detect advanced threats on signaling traffic, particularly for detecting roaming threats. TIDS detects attacks on a wide range of signaling protocols --- SS7, Diameter, GTP-C, SBA (service based architecture) HTTP/2 --- and cross-protocol attacks in 2G, 3G, 4G, and 5G technologies with its advanced ruleset and AI/ML capability. It employs detection techniques over a long period for each subscriber. This allows it to detect advanced threats in signaling messages, for example, by checking mismatch of headers across signaling protocol flows and co-relating these with threat intelligence to identify an attack. Moreover, it includes a customizable dashboard and threat intelligence integration for investigating advanced threats.

Some signaling attacks might not be harmful to the network but could have serious implications for subscribers and their privacy. Detecting these not only requires advanced analytics with stateful capabilities and in-depth security expertise, but a full understanding of the roaming business and how it is implemented around the world. TIDS includes this intelligence resulting in reduced false positives when detecting roaming threats. TIDS also complements USFW’s velocity (time-distance) checks for roaming signaling traffic. It does this by combining intelligence on the service provider’s location with the subscriber’s location when the subscriber roams from country to country.

Summary and call to action

By implementing a telecom cyber defense solution with end-to-end security measures tailored to the mobile network, mobile service providers can gain cybersecurity visibility and control. To mitigate the threat of advanced false base stations attack that utilizes misuse of roaming privileges, the mobile service provider should implement the following measures:

  • False base station detection capabilities in RAN network and security management
  • Security configuration in signaling firewall according to GSMA FS.19 or similar
  • Continuous intrusion detection monitoring on the roaming signaling interfaces
  • Implement cross-layer monitoring and validation

Mobile networks are crucial in our interconnected world. Ericsson is committed to contributing to the evolving standards and developing comprehensive solutions to ensure the security of mobile networks.

References

  1. Detecting false base stations in mobile networks
  2. Protecting 5G against IMSI catchers
  3. Signaling security
  4. Why NI is vital in addressing RAN threats
  5. Ericsson and POST Luxembourg stronger signaling security
The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.