100% of 4G networks are susceptible to Denial of Service attacks and 5G is not immune

Positive Technologies (PT) has published its ‘security assessment of Diameter networks’ report. The Diameter signaling protocol is used to authenticate and authorise messages and information distribution in 4G networks. The vulnerabilities in the protocol means 5G networks built on top of previous generation networks will also inherit the same threats - such as tracking user location, obtaining sensitive information and in some cases downgrading users to insecure 3G networks. 

The research is the penultimate report in a four-part series on telecoms security where Positive Technologies researchers reveal the biggest threats and vulnerabilities across the existing mobile network ecosystem, important as the industry continues to wrestle with the security implications of 5G networks. It is based on studies of the networks of 28 telecom operators across Europe, Asia, Africa and South America, between 2018 – 2019. 

To assess the security of the networks, PT researchers replicated the actions of threat actors. Their attempts to infiltrate mobile networks were 100% successful and they discovered that the biggest threat was denial of service attacks which affects both 4G and 5G users. This is because the first generation of 5G networks (5G Non-Standalone) is based on the LTE network core, which means that 5G is vulnerable to the same flaws. 

Dmitry Kurbatov, CTO at Positive Technologies comments, “A lot of the major mobile operators are already starting to roll out their 5G networks and so the industry needs to avoid repeating the mistakes of the past by having security front and centre of any network design. If left unchecked, their 5G networks will not be immune from the same vulnerabilities of previous generation networks. Implementing security as an afterthought means further down the line, issues will inevitably arise, and operators will be forced to retrofit security putting strain on their original budget. Trying to fix mistakes on an ad-hoc basis, often results in new solutions being poorly integrated into existing network architecture,”

Successful methods for denial of service attacks rose 3% from (38%) 2018 to (41%) 2019 posing a direct threat to IoT devices, and highlighting that operators need to continually update their cyber defenses.

Kurbatov commented, “In the last two years, there has been no improvement in the industry in terms of strengthening security measures in the diameter protocol, which is very concerning. As the world becomes more interconnected, the threat landscape expands and so the consequences become even more dangerous. Gartner predicts 25 billion IoT devices to be connected by 2021. Therefore, a denial of service attack becomes so much bigger than simply a slow internet connection stopping you from posting a picture on Instagram. It can cripple cities which are beginning to use IoT devices in various ways from national infrastructure to industry. For example, if an alarm system fails to activate during an emergency it can literally be a life or death situation.”

Other vulnerabilities in the diameter protocol meant external actors could track subscriber location and obtain sensitive subscriber information which could be used to intercept voice calls, bypassing restriction on mobile services. Today, mobile operators do not have the resources and operator equipment to perform a deep dive analysis of traffic which makes it difficult for them to be able to distinguish between fake and legitimate subscribers.

Kurbatov commented, “At the moment operators neglect to cross-reference messages to verify a subscriber’s location to be able to filter between fake and legitimate messages. Mobile operators cannot afford to ground operations to a halt and so they need solutions which can block illegitimate messages without impacting network performance or user access to the network. Correct filtering of incoming messages is needed using threat detection systems which can analyse signal traffic in real-time and detect illegitimate activity by external hosts and flag up configuration errors as per GSMA guidelines.”