Better network monitoring and information-sharing are needed to mitigate vulnerabilities in a communications protocol used in wireless networks and by Internet of things devices, an FCC advisory committee said today. The FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC) approved a report from its working group 3 (WG3), which has been looking at network vulnerabilities associated with the Diameter protocol.
WG3’s chairman, Travis Russell, director-cybersecurity at Oracle Communications, compared the group’s work to a similar CSRIC effort to enhance the security of Signaling System 7 (SS7), a 1970s-era technology widely used to connect wireline phone calls (TR Daily, Oct. 26, 2017).
Diameter contains similar vulnerabilities as SS7, Mr. Russell said, and is being used for wireless communications, although he noted that Diameter had not been widely adopted. Globally, many wireless operators are still using SS7 to enable roaming, and Diameter has not been implicated in any cybersecurity incidents, he said. “Unlike SS7, we haven’t seen a whole lot of attacks in the wild,” Mr. Russell said at today’s CSRIC meeting. “In fact, we have seen none. We have seen reports that some of the vendors have been putting out that they see suspect traffic. But suspect traffic can also be a misconfiguration of a node, which nine times out of 10, that’s what it is.”
Still, Diameter offers a variety of avenues for hackers to gain access to users’ accounts, intercept voice calls and data transmissions, and track user locations, he said. Many of those attack vectors can be closed off by properly configuring networks using Diameter, he said.
A common mistake by technology personnel, for example, is to “take a critical network function and attach it to a public-facing Internet to make it easier for them to do remote diagnostics, remote provisioning, and so on, not understanding that they have just exposed the entire core network to the world,” he said.
“We see this all over the world,” he added. “I have found many instances of that happening here in the United States as well. An insecure network configuration does make attack easier and opens up another attack vector.”
The working group issued a series of recommendations, including the establishment of better information-sharing on network threats and the issuance of best practices for users of Diameter. Wireless operators should spend more time monitoring their networks and should establish several defensive barriers to deter hackers, the group said.
“Make it as difficult as possible,” Mr. Russell advised. “Hackers are lazy. If they get too many barriers, they will go away.”
CSRIC also heard interim reports from two other working groups, WG1, which is working on the transition to next-generation 911 (NG-911) service, and WG2, which is tasked with undertaking a “comprehensive reimagining of emergency alerting.”
WG1 expects to have a report on “911 system reliability and resiliency during the NG911 transition” done by June and a report on “small carrier NG911 transition considerations” finished by September. WG2’s report on “reimagining alerting” should be done by June. — Tom Leithauser, firstname.lastname@example.org