When subscribers avoided using roaming, security of the roaming wasn’t that important. Now the environment has all changed. Here’s my subscriber experience with roaming and why roaming security should be an essential part of every mobile operator’s security strategy.
Several years ago, when traveling to Spain, I quickly found out that my U.S. mobile carrier did not have interconnection agreements with the local provider (even though they claimed they did). As I quickly dashed between Wi-Fi-enabled cafes, I tried (unsuccessfully) to find my way to a local restaurant using the map application on my mobile phone. Lost, tired and near desperation (it was now dark and raining), I begged a cab driver to take me to my destination, which turned out to be only two blocks away. I made it to my dinner appointment, and in frustration turned off all cellular services for the remainder of the trip. My co-workers – more seasoned in international travel – had already learned the tricks of international roaming – purchasing local SIMs, turning off data roaming, or having a large enough expense budget to handle the “bill shock” of roaming charges. I had just joined the ranks of the “silent roamers.”
Was I concerned about security in that roaming experience? No, I just stopped using my phone when I traveled. Cost was my only consideration.
So, with my phone turned off, I never experienced any of the potential risks associated with roaming protocols, such as having my subscriber details hijacked by a cybercriminal or racking up premium service charges against my account. I was never aware that cybercriminals could eavesdrop on my calls and messages to gather information about my credentials and the mobile network I was accessing. I never noticed my service being disrupted or malicious messages being injected into my communications. I didn’t know whether my credentials were used to gather information about network nodes to be attacked. These are all possible attack scenarios identified by the GSMA and used by cybercriminals against roaming subscribers and the mobile networks they are using.
But since my use was infrequent, my risk was low, I didn’t consider security requirements very carefully. At that time, neither did many mobile operators.
Now, of course, the experience of roaming has totally changed along with subscriber expectations of mobile services. Now I am, as are most roaming subscribers, deeply attached to my phone and all the other connected devices we use and wouldn’t consider turning any of them off while traveling. Much of the artificial price barriers that inhibited subscribers from using the services have been eliminated or baked into flat-rate services. The EU Roam Like at Home legislation in 2017 now prohibits excessive roaming fees and other non-EU countries are following suit. As a result, global international roaming traffic – voice and data – has surged and is expected to grow 32X by 2022 and to reach over 1.5 Mb per subscriber annually.1
As for me, I used my phone and tablet quite a bit on my last trip to Spain.
These levels of subscribers, traffic volume and lightly protected devices are very attractive to malicious actors looking to exploit vulnerabilities in the common protocol, GTP, used in roaming and other interface links in mobile networks.
Roaming has evolved and so has the need for deeper security. The industry now is rethinking its approach to roaming, including reevaluating legacy security approaches. In 4G, GSMA guidelines recommended deployment of a roaming firewall at the roaming interface (S8) to protect against the know vulnerabilities of GTP. In 5G, roaming partners will be connected through the Security Protection Proxy (SEPP) for the control plane using http2 protocol, but the user plane will still use GTP. A recent survey sponsored by A10 Networks revealed that 74 percent of mobile operators are planning to upgrade or add a roaming firewall into their networks as they move into 5G. This is, indeed, a good sign that operators are taking the growing threats seriously.
A10 Networks GTP firewall protects networks and subscribers against the GTP vulnerabilities identified by the GSMA. The highly scalable 5G solution is available in physical, virtual, and container forms and assures operators that they can protect their networks and subscribers and maintain the high performance demanded by subscribers throughout the entire 4G to 5G journey.
For more information, please download the solution brief.
How much is growth in subscribers or locations going to cost you in the next 5 years for additional IPv4 addresses?Estimate Your IPv4 Costs Now