Telecommunications is just one aspect of a 200-year-old field of research in IT. In our latest report, “Islands of Telecom: Risks in IT,” we liken this field to what seems to be separate islands that are in fact connected by a larger landmass underneath an ocean of IT. Indeed, the features of telecommunications might seem different from each other, but they all come together as the foundation of the entire field.
In this research, we summarize the characteristics, potential threats, and recommendations to improve the security posture of enterprises and telecommunications companies. The following are some areas of concern that we feature in the analysis.
Voice calls remain as one of the most trusted types of communication. Still, attackers can take advantage of the trusted environment, infrastructure, and interconnection between operators by exploiting inter-carrier trust to implement remote attack scenarios. Access to telecom infrastructure in a foreign country is also enough to conduct voice call redirection and interception. Attack scenarios can include abusing a legitimate indoor small cell legitimately installed in private spaces such as bars, using a war box, or intercepting data and voice calls with a rogue base station, among other possible scenarios.
Given the level of presumed trust, voice call interception attacks (or wiretapping) often target high-value targets such as C-level executives, key political figures, lawyers, journalists, and activists, to name a few. Attacks of this type not only bypass information security but also gain access to high-value information that can be used, for example, to influence the outcome of negotiations and trading. Our research features some high-profile examples of this kind of attack, such as those in Italy and Uganda.
Recommendation: If available, algorithms that are used in the financial sector can be federated with telecom logs such as Benford’s Law for anti-fraud detection triggers. Incident response (IR) teams can monitor and track when abuse and fraud occur, allowing alertable and predictable patterns for criminal behaviors. Users are also encouraged to use point-to-point encryption in their voice applications and advised to disable GSM on their phones if possible.
More frequently, developers include SMS-authentication for their projects as a reliable option for logging and processing transactions such as one-time passwords (OTP). However, as SMS is exchanged in cleartext within the telecom network, it is still prone to interception and downgrade attacks.
A telecom core network can be considered “protected” depending on how a telco perceives the term “security domain.” In reality, however, since a telecom core network is usually only one domain, the data within it is only protected from the outside and not the inside. Therefore, a hacker or insider can intercept the SMS or downgrade a 4G/5G service area to a less secure network, such as GSM.
SMS is also the backup channel that is used for remote operational technology (OT) systems, such as industrial routers and cellular OT devices, which support commands over the air (OTA). These systems are more susceptible to interception due to the coverage of GSM, which is wider compared to newer generations of telecommunications technology.
Through social engineering, SIM swapping has also been used by malicious actors who pretend to be users in distress. Usually, a malicious actor calls a telecom service center pretending to be a user who has lost their device or SIM. In response, the service center then transfers the subscriber’s account and phone number to the attacker, after which all text messages are then sent to the malicious actor instead of to the unwitting legitimate subscriber. Previously documented cases of this include malware impersonating Android tools to steal authentication codes, not to mention the “MessageTap” malware used to hack SMS centers in telecom.
Recommendation: Instead of SMS, users should consider other means for authentication, such as mobile app authenticators or a mobile phone push-notice.
Calling line ID spoofing
Calling line ID spoofing (CLID) is a legitimate standards-based activity used for legitimate purposes, including masking call centers behind 1-800 hotline numbers. It can also be abused by criminals for attacks on individuals, such as malicious actors impersonating organizations like banks and government agencies. Attack scenarios like these abuse the trust established with well-known numbers of organizations.
One scenario can involve a customer getting a call or a text message from their bank. This transmission can include a request for action due to a “reason” with which a customer is lured into unintentionally sharing their credentials or other sensitive information with an attacker via a phishing site. Other attack scenarios also include:
- Attackers impersonating law enforcement agencies and government authorities.
- High-ranking officials receiving calls from numbers that they identify as belonging to other officials but in reality belong to pranksters.
- Malicious actors using a customer’s number to authenticate calls to organizations.
Notably, attacks like these were observed in 2020 in Australia and Singapore. In both cases, the respective communities were warned about scammers impersonating government agencies or officers to either purchase or pick up specific items.
Recommendation: Users and organizations should double check the origin of incoming calls and text messages as part of a multilayered defense strategy. It is also recommended to empower existing processes by using data such as telecom logs that are related to the origins of text messages or calls.
Compared with the quantitative model of denial of service (DoS) wherein a system is overloaded with volumes of traffic, telephony denial of service (TDoS) is a qualitative model of DoS wherein the service is “turned off” for the targeted legitimate user. The attackers abuse the existing business processes of telecommunications companies for managing fraud to create a scenario that paints an intended victim’s phone number and SIM as belonging to a fraudster. The telco then blocks the victim’s number and SIM card, which are now tracked as sources of detectable fraud. As a result, it is likely that the victim will be required to make a personal appearance at the telco office to restore their services.
This approach to DoS can be thought of as a “black flag,” wherein fraud is done specifically for the purpose of having the victim (either a person or a company) be caught and blocked. Attack scenarios like these include the attacker being situated within the range of the victim’s SIM and phone number for the telco to track these as the source of fraud and for the victim to be treated as highly suspicious moving forward. The attackers can also prolong the outage of data connectivity and phone calls by calling the telco multiple times to request for restoration of services, thus making it difficult for the telco to tell the difference between real victims and fake ones.
It must be kept in mind that the victim might not have either the connectivity or the ability to place a phone call, and outages like these could then require the victim to travel long distances just to make a personal appearance at the telco office. Attackers can abuse this situation further for extortion by contacting the victim and pretending to have the ability to restore services in exchange for specific demands. This was the attack scenario in a number of islands in the Pacific via international revenue sharing fraud (IRSF).
Recommendation: As customers, both organizations and users can build a strong relationship with their respective sales account representative or executive to bypass the gaps in processes to restore connectivity and phone services. In this sense, it would also be advisable to have an alternative means of communicating with such a contact.Whaling by SIMjacking
Whaling comes from the term “phishing” but pertains to targeting “big fish” such as VIPs who can include journalists, politicians, CEOs, celebrities, and athletes, to name a few. SIMjacking is also known to others as SIM swapping, an attack that redirects the cellphone traffic of a targeted “whale” to a malicious actor. This allows the attacker to originate voice calls or messages to other employees for business email compromise (BEC), such as intercepting SMS-based multifactor authentication (MFA) codes or authorizing company bank transfers.
One the easiest ways to start this is through social engineering using multiple points of attack and personnel, specifically by targeting points or individuals within the telecommunications company. More importantly, just one valid point would allow attackers to gain control of not just one VIP account, but an entire customer base.
Recommendation: It is advisable to use non-SMS-based means for authentication, such as authenticator apps. VIPs can also employ a federated identity and asset management (IAM) system and rethink IAM controls handled by telecom personnel.
The integration of telecommunications infrastructure for almost all critical verticals has been an ongoing trend, and it will likely continue with the opportunities brought about by 5G and 6G in terms of technologies, capabilities, financials, and attack surfaces. As a result, IT and security teams need to become aware of the evolving risks to IT assets, as well as of the differences in required concepts, equipment, skills, and training to deal with such risks. Ultimately, when choosing tools to improve visibility and security baselining, the new dependencies, network relationships, and vulnerabilities resulting from these new technologies and developments must be taken into consideration.