Positive Technologies has warned that its research confirms vulnerabilities in the world’s mobile infrastructure still exist, despite millions being invested to upgrade the UK’s network to Diameter to carry 4G and 5G traffic.
The unaddressed flaws leave mobile communications, and the security practices founded on them, vulnerable allowing hackers to intercept and divert SMS messages – including passcodes meant to validate identity and authorise transactions; eavesdrop on phone conversations; locate users via GPS signal; instigate denial of service attacks against the whole network; plus other illegitimate actions. Earlier this year attackers stole funds from bank accounts having redirected one time passcodes (OTPs)sent by banks in Germany, via text message (SMS), confirming that real world attacks have been devised and can be successfully executed.“The mobile network infrastructure is based on a set of telephony signalling protocols, developed in 1975, when security wasn’t a consideration but was less of a risk as only a few people had access. Today that’s no longer true. Access has spiralled yet security is still non-existent -,” explains Michael Downs, Director of Telecoms Security (EMEA) of Positive Technologies. “With Diameter [the new protocol for 4G and 5G networks] designed as a platform for thousands of emerging IoT applications – from cars to connected cities, these lax security practices leave us all vulnerable as hackers can easily exploit these flaws.”Earlier this year it was confirmed that attackers in Germany had accessed the global mobile infrastructure and diverted one time passcodes sent from banks, via SMS message, to authorise transactions and steal money out of compromised accounts. Speaking about this development Michel adds, “This incident shows that these vulnerabilities in the mobile infrastructure open mobile users to the same kind of mass cybercrime threats that Internet users have suffered for years. There’s zero security, with zero control, which equals zero trust. Networks must accept the threat, educate themselves about the attack vectors being used and move to monitor and neutralise the problem. In the meantime, given it’s been proven fallible, using mobile channels as an additional layer of security has to be paused.”