Mobile

Telecommunications
Security Landscape
February 2022
Contents

GSMA CTO Foreword 1 Cloud & Virtualisation Security 14

The Cloud & Virtualisation Security Threat 14
Executive Summary 2 The Cloud & Virtualisation Security Response 17

Introduction 3 Operational Security 19

The Operational Security Threat 19
Building Mobile Security Resilience 4
The Operational Security Response 22
Fraud & Security Working Groups 4
Securing the 5G Era 4 IoT Security 23
Telecommunication Information 4 The IoT Security Challenge 23
Sharing and Analysis Center
The IoT Security Response 24
Coordinated Vulnerability Disclosure Programme 4
Security Accreditation Scheme 5 Signalling & Interconnect Security 26
Network Equipment Security Assurance Scheme 5 The Signalling & Interconnect Threat 26
GSMA Security Publications 5 The Signalling & Interconnect Response 27

Securing 5G 6 Supply Chain Security 29

The 5G Security Landscape 6 The Supply Chain Threat 29
The 5G Security Response 7 The Supply Chain Response 30

Software Security 9 Final Thoughts 32

The Software Security Threat 9
The Software Security Response 10

Malware 11
The Malware Security Threat 11
The Malware Response 13
GSMA CTO Foreword

Now, more than ever, connectivity is key. Deployment Given the challenge, we will succeed by working
of 5G networks must remain at the forefront of change together to develop and implement security best
as this next generation technology will stimulate digital practices. Please take the time to read this paper
growth, innovation and new levels of efficiency across and get involved in this team effort. Existing
industries. The mobile sector is committed to making GSMA members can continue to contribute to our
a fairer, greener world supported by a thriving and security work and are encouraged to apply GSMA
resilient digital economy. security guidelines and recommendations within
their businesses. Other interested stakeholders are
The mobile world is undergoing a number of welcome to get involved and they can do so by joining
fundamental transformations, whether it be the move the GSMA, which will ensure access to a breadth of
to 5G, new services or cloud-based networks. Security security advice and best practices.
is a key enabler to building in operational resilience
that enables confidence, trust and growth. Alex Sinclair
Chief Technology Officer
GSMA has an important role in convening the industry, GSMA
be that through world-class events like Mobile World
Congress, driving innovation in digital technology to
reduce inequalities in our world or developing new
security mechanisms that enable new generations
of mobile technology to be deployed securely. The
GSMA, through its work on a wide range of security
issues, has long played a significant role in this space.

There is much to do to ensure mobile networks are

secure and operate in concert to provide mutual
protection. I am delighted to introduce this latest
GSMA Mobile Telecommunications Security Landscape
Report that highlights some of the ongoing and recent
threats in the mobile sector, before offering details
on how GSMA members build security resilience into
operational mobile networks.

1
Executive Summary

Welcome to the GSMA’s 4th annual Mobile The security topics discussed in this report are
Telecommunications Security Landscape report. categorised into a number of distinct groupings. These
The report provides an overview of the significant topics start at securing 5G and flow through enabling
security topics that GSMA see as important for the software and cloud topics before covering broader
mobile industry. operational security aspects. Following this, two
particular functional areas are explored (Internet of
This document aims to assist the mobile ecosystem Things (IoT) and signalling security) before concluding
to build stronger security resilience by presenting key on the broader supply chain topic. These categories
security topics through a lens of first, the security consist of the following:
threat, and second, the security response. Importantly, • Securing 5G
the document is positioned to communicate the
• Software including open source code
extensive resources available from GSMA and the
wider industry, that will inform any security response • Malware
against these security threats. The document also • Cloud & virtualisation
demonstrates the ongoing value and difference GSMA • Operational Security
is making to security of the mobile ecosystem.
• IoT
The GSMA approach to building mobile network • Signalling & Interconnect
security resilience is highlighted before exploring • Supply Chain
a series of important security topics. For each
security topic, the security threat is discussed before Finally, the report recommends implementing existing
pointing to relevant GSMA security advice. GSMA advice, maintaining active contributions to building
offers its members considerable security1 expertise security guidance and seeking out opportunities to
and services through a range of activity areas that get involved.
collectively build a knowledge base, guidelines
and services that build stronger mobile network
security resilience. The member-only2 content
can be accessed by joining GSMA as an Operator,
Industry, Rapporteur or Sector member and then
using GSMA’s resources and extensive document
repository. Additionally, complementary content is
included on wider (non-GSMA) security best practice
recommendations in key areas.

1
https://www.gsma.com/security/
2
https://www.gsma.com/membership/membership-types/

2
Introduction

Modern mobile cellular networks support a wide It is important to consider the wider operating context
variety of services that go well beyond providing basic in which operational mobile networks exist. There is a
voice and short messaging services. They now include current (and increasing future) reliance that industry
the provision of high bandwidth communication with verticals place on mobile networks. This is likely to
complex security requirements. As a result, their increase as advanced 5G services enable end-to-end
security architectures have evolved over successive network slicing. Mobile networks are also a potential
generations to define an increasingly elaborate end-to- attack vector into industry verticals (that themselves
end security coverage. have industry-specific cyber security requirements).
This broader context is explored in a range of
Meanwhile, rapid evolution of mobile communications interesting publications including:
over the past decade has led to not only convergence • The US National Security Agency has published
of mobile and fixed network connectivity but also the security advisory3 papers identifying potential threat
exposure of mobile networks to new interfaces outside vectors to 5G infrastructure
a network operator’s control.
• The European Union Agency for Cybersecurity
This document aims to assist the mobile ecosystem (ENISA) Threat Landscape4
to build stronger security resilience by presenting key • The ENISA Supply Chain Threat Landscape5
security topics through a lens of first, the security
threat, and second, the security response. This fourth edition of the GSMA Mobile
Telecommunications Security Landscape report builds
on the 2019, 2020 and 2021 reports to present an
updated view of the evolving landscape.

THE GSMA’S DESIRE REMAINS TO ENHANCE

AWARENESS AND ENCOURAGE APPROPRIATE
RESPONSES TO SECURITY THREATS.

3
https://www.cisa.gov/sites/default/files/publications/potential-threat-vectors-5G-infrastructure_508_v2_0%20%281%29.pdf
4
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021
5
https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks

3
Building Mobile
Security Resilience
The main purpose of a mobile network operator’s Securing the 5G Era8
security architecture is to provide security assurance 5G has designed in security controls to address many of
characterised by the need to preserve three key the threats faced in legacy 4G/3G/2G networks. These
attributes: Confidentiality, Integrity and Availability; controls include new mutual authentication capabilities,
often known as the ‘security triad’ or the simply the enhanced subscriber identity protection and additional
abbreviation ‘CIA’. security mechanisms. 5G offers the mobile industry an
unprecedented opportunity to uplift network and service
In mobile network architectures, as data is processed, security levels. 5G provides preventative measures to
stored or transmitted to and from different limit the impact of known threats, but the adoption of
components of a network or networks, maintaining new network technologies introduces potential new
the security triad throughout is of prime importance threats for the industry to manage. GSMA explores
to ensure reliable end-to-end security protection. a range of security considerations including secure
by design, 5G deployment models and 5G security
GSMA offers its members considerable security6
activities (see Securing 5G section later in this paper).
expertise and services through a range of activity
areas that collectively build a knowledge base,
guidelines and services that build stronger mobile Telecommunication Information Sharing and
network security resilience. Analysis Center
The GSMA T-ISAC9 is the central hub of security
Fraud & Security Working Groups information sharing for the telecommunication
industry. Driven by the ethos “One organisation’s
The GSMA’s Fraud and Security Group7 (FASG) drives
detection is another’s prevention”, we believe
the association’s management of fraud and security
information sharing is essential for the protection
matters related to mobile technology, networks and
of the mobile ecosystem, and the advancement of
services. The group has two primary objectives,
cybersecurity for the telecommunications sector.
firstly to maintain or increase the protection of mobile
Drawing on the collective knowledge of mobile
operator technology and infrastructure. And secondly,
operators, vendors and security professionals,
to maintain or increase the protection of customer
the T-ISAC collects and disseminates information
identity, security and privacy such that the mobile
and advice on security incidents within the mobile
industry’s reputation stays strong and mobile operators
community – in a trusted and anonymised way.
remain trusted partners in the ecosystem. FASG
provides an open, receptive and trusted environment
within which fraud and security intelligence and incident Coordinated Vulnerability Disclosure Programme
details can be shared in a timely and responsible way.
The GSMA CVD10 programme gives security researchers
Members gain from the significant body of knowledge
a route to disclose a vulnerability impacting the
published on fraud and security matters. FASG has a
ecosystem affording the industry an opportunity
number of sub-groups including the Fraud and Security
to assess the impact and mitigation options before
Architecture Group, the Device Security Group, the
details of the discovered vulnerabilities enter the public
Roaming and Interconnect Fraud and Security Group
domain. We work with mobile operators, suppliers and
and the Security Assurance Group.
standards bodies to develop fixes and mitigating actions
to protect customers’ security and trust in the mobile
6
https://www.gsma.com/security/ and member-only resources communications industry.
7
https://www.gsma.com/aboutus/workinggroups/fraud-security-group
8
https://www.gsma.com/security/securing-the-5g-era/
9
https://www.gsma.com/security/t-isac/
10
https://www.gsma.com/security/gsma-coordinated-vulnerability-disclosure-programme/

4
 Security Accreditation Scheme
CASE STUDY: Cryptanalysis of the GPRS The Universal Integrated Circuit Card (UICC) in mobile
Encryption Algorithms GEA-1 and GEA-2 devices, and its associated applications and data
Research was submitted to GSMA’s CVD play a fundamental role in ensuring the security of
Programme which identified weaknesses in two the subscriber’s account and related services and
GPRS Encryption Algorithms (GEA1 and GEA2) transactions. The GSMA’s Security Accreditation
allowing an eavesdropping attack using a false Scheme11 enables mobile operators to assess the
base station. Despite support being prohibited by security of their UICC and Embedded UICC (eUICC)
3GPP specification releases over the last decade, suppliers, and of their eUICC subscription management
a majority of devices (including modern/flagship service providers.
devices) continued to support GEA1.

The responsible disclosure of the research Network Equipment Security Assurance Scheme
findings provided time for GSMA, GSMA The Network Equipment Security Assurance Scheme12
members and the wider industry to prepare for (NESAS), jointly defined by 3GPP and GSMA, provides
this research to be released. an industry-wide security assurance framework to
facilitate improvements in security levels across the
The advance notice allowed the industry to mobile industry. NESAS defines security requirements
issue updates to relevant standards to ensure and an assessment framework for secure product
the removal of GEA1 from devices in the field development and product lifecycle processes, as well
and new devices, as well as to update test as using 3GPP defined security test cases for the
cases for new devices to test for non-support security evaluation of network equipment.
of GEA1. Within a week of the public release of
the research, 3GPP standards were updated NESAS provides a security baseline to evidence
for devices conforming to older specification that network equipment satisfies a list of security
releases to not support GEA1 and GEA2. requirements and that the equipment has been
developed in accordance with vendor development
Changes were also made to the following GSMA and product lifecycle processes that provide security
Permanent Reference Documents: assurance. NESAS is intended to be used alongside
• Addition of GEA1 field trials test case to GSMA’s other mechanisms to ensure a network is secure. The
Device Field and Lab Test Guidelines (TS.11) scheme has been designed to be used globally as a
• Change Network Settings Exchange default common baseline, on top of which individual operators
settings in GSMA’s Technical Adaptation of or national IT security agencies may want to define
Devices through Late Customisation (TS.32) additional security requirements.
• Updated advice in GSMA’s Security Algorithm
Deployment Guidance (FS.35)
GSMA Security Publications
All of these change activities were undertaken The GSMA security website13 includes a number of
by GSMA to ensure the compromised GPRS informative and instructive publications, whilst GSMA
encryption algorithms are removed from devices members can exclusively access additional content
to protect mobile users. specifically addressing a wide range of fraud and
security topics.

11
https://www.gsma.com/security/security-accreditation-scheme/
12
https://www.gsma.com/security/network-equipment-security-assurance-scheme/
13
https://www.gsma.com/security/

5
Securing 5G

GSMA’s aim for 5G is for it to be secure and resilient The 5G Security Landscape
in operation. 5G presents an important opportunity Analyses of the 5G security landscape have been
for the mobile industry to enhance network and performed that help inform the likely threat stance.
service security both as inherently designed within GSMA’s 5G Security Guide (FS.40 – available to GSMA
the network functions as well as through deployment members) contains an overview of the security aspects
strategies. New authentication capabilities, enhanced and capabilities of 5G networks. The document serves
subscriber identity protection and additional as an educational resource for GSMA members that
security mechanisms will result in significant security describes the security enhancements and capabilities
improvements over legacy generations. inherent in 5G technology and highlights a range of
implementation considerations for network operators.
As of Q3 2021:14
• 5G was commercially available from 107 operators It is important to recognize that 5G capabilities
in 47 markets worldwide are likely to co-exist with previous generations of
• 5G trials were undertaken at 217 operators mobile infrastructure for some time. In which case,
in 100 markets both existing and new infrastructure will need to
be secured. An FCC Communications, Security,
• User adoption was at 135 million connections
Reliability and Interoperability Council (CSRIC) report15
• Mobile 5G connections are set to reach 1.8 billion identifies risks to 5G from legacy vulnerabilities and
connections by 2025 recommends best practices for mitigation.
This rollout period is a pivotal time, as the approach There is a high degree of correlation on the key topic
taken to implement and operationalise the architecture areas identified across publications from a number of
and underlying technologies presents a significant industry bodies (including the FCC, 3GPP) and these also
opportunity to leverage the security opportunities reflect many of the topic areas addressed in this GSMA
afforded by the secure by design 5G standards, both Mobile Telecommunications Security Landscape report.
within the core ecosystem as well as interoperable
non-mobile services. Good operational hygiene, secure These areas include:
configuration and continued focus on security in
• The cloud-native nature of 5G
operation are also key.
• The range of attack vectors
• The threat to the network stack
• The threat to data in-transit, in-use or at rest
• The threat to the integrity of infrastructure
• The security of software defined networks and
functions
• Open source software in 5G networks
• IoT in the context of 5G
• Roaming
• Sufficiency of security measures
• The 5G supply chain
• Security of management and signalling planes

14
GSMAi Statistics: Global 5G Landscape Q3 2021
15
https://www.fcc.gov/file/18918/download

6
 The 5G Security Response
INDUSTRY INSIGHT: Historically, operator networks have mainly used
umlaut16 reports on some common issues proprietary protocols for network management. 5G
observed in the course of conducting air Core (5GC) moves to an IP-based protocol stack,
interface security assessments on 5G networks. allowing interoperability with a wider number of
Each identified gap offers a security threat that services and technologies in the future. The following
can be mitigated with suitable controls. protocols, schemas and processes will be adopted in
• 5G Stand-Alone and Non-Stand Alone: 5GC (see Figure 1):
Confidentiality protection (encryption) is not • HTTP/2 over N32, replacing Diameter over the S6a
enabled in all locations on the radio network reference point
(user plane). Thus, users on parts of those • TLS as an additional layer of protection providing
networks cannot benefit from encryption encrypted communication between all network
on the radio communication. functions (NF) inside a Public Land Mobile
• 5G Stand-Alone: User Plane Integrity Network (PLMN)
Protection (UPIP) is not enabled. It could • TCP as the transport layer protocol as replacement
result in traffic redirection / intercept attacks of the Stream Control Transmission Protocol (SCTP)
• 5G Stand-Alone: Identity protection of the transport protocol
users (SUPI concealment) is not enabled. • RESTful framework with OpenAPI 3.0.0 as the
Location tracking attacks are still possible Interface Definition Language (IDL)
on those networks
• The temporary identifiers (GUTI / TMSI)
are – in some deployments – not randomized
(often incremental)
• Lack of security on slices / APNs. Traffic
between users is allowed and reachability
to core elements is possible from a 5G
user perspective

Figure 1: 4G to 5G Security Enhancements

UPDATE-LOCATION UPDATE-LOCATION
S6A N8/JSON
DIAMETER HTTP/2
TLS
SCTP TCP
IP IP

16
http://umlaut.com/en/contact-us

7
As these protocols are used in the wider IT industry, The GSMA’s 5G Security Task Force (5GSTF) is
their use will likely: responsible for monitoring work on 5G security, within
• Lead to a short vulnerability to exploitation timeline, GSMA and across the wider industry and the standards
and higher impact of vulnerabilities located within development community, with a view to ensuring
these protocols all necessary enablers are in place to deliver secure
and resilient operational networks. In particular,
• Expand the potential pool of attackers. 4G and
the taskforce focuses on potential gaps between
especially 3G core networks benefit from attackers
standards and operational implementations and
having little experience or familiarity with the
the resolution of those.
proprietary standards used within them

5G offers the mobile industry an unprecedented

opportunity to uplift network and service security
levels. These controls are discussed and assessed at
GSMA Securing the 5G Era17. The GSMA has collated
this analysis into a 5G Cybersecurity Knowledge Base18
to provide useful guidance on a range of 5G security
risks and mitigation measures.

Figure 2: A Range of Software Development Arrangements

Proprietary Code Open Source Code

Pure Proprietary Commercial Community

Private / Code Re-using Open Open
Proprietary Open Source Source Source
Code Code Code Code

17
https://www.gsma.com/security/securing-the-5g-era/
18
https://www.gsma.com/security/5g-cybersecurity-knowledge-base/

8
Software Security

Software is fundamental to the delivery of mobile A list of the most commonly exploited vulnerabilities
communications networks both in proprietary was published in a Joint Cybersecurity Advisory19 by
form and, increasingly, open source. The the CISA. The document provides details on the top 30
telecommunications industry uses software from the vulnerabilities—primarily Common Vulnerabilities and
open source community in a range of architectural Exposures (CVEs)—routinely exploited by malicious
deployments, including to provide virtualised cyber actors in 2020 and those widely exploited in
middleware, as a software component running on 2021. The vulnerabilities allowed a range of undesirable
virtualised infrastructure or within proprietary code actions including arbitrary code execution, arbitrary
implementation. Malicious software (malware) and code reading, path traversal, remote code execution
ransomware (explored in the next section) have the and escalation of privilege.
potential to pose a significant risk.

The Software Security Threat

INDUSTRY INSIGHT:
The threat of poorly written code, or the deliberate
insertion of malicious code, that could be used to Regular cloud solutions security testing
compromise network operation, data or service conducted by umlaut20 has found a lack of
features is a concern. Software vulnerabilities can be software validation in network systems deployed
observed in a range of code types as illustrated below in production: e.g. software images not being
in Figure 2. signed, signatures not being verified during
installation and acceptance of software images.
All varieties of code types can contain vulnerabilities. Additionally, the integrity and protection of
Open source code can be noted in a wide range of software images are not enforced. Certificate
code development including complete modules, based authentication and integrity protection
libraries, utilities and partial code re-use. For proprietary of images is rarely delivered so it cannot be
executable code, the vendor will typically provide all guaranteed that the software being installed
the development resources (coders), and follow their is the same version that was created by the
own company-specific software development coding vendor. Finally, reverse engineering of some telco
practices but is not typically open for inspection from software images undertaken means it is possible
outside of the vendor. For open source developed to uncover hardcoded accounts and passwords
code, the main focus is typically to deliver the required from the system which can remain used in
functionality. Development processes can vary but open production systems. Credentials were able to be
source code is available for detailed inspection. extracted which may allow an attacker to access
and manipulate the images remotely. Note:
All issues found during this testing have been
reported in a coordinated way.

19
https://us-cert.cisa.gov/ncas/alerts/aa21-209a
20
http://umlaut.com/en/contact-us

9
The Software Security Response 12. When executing workloads with lightweight
The GSMA recommends that a secure Software virtualisation technologies (e.g. containers),
Development Life Cycle (SDLC) is implemented. This ensure that the associated processes enable
lifecycle should include quality control stages, with data execution prevention, address space layout
code review at module and system level, including randomisation and stack protection to reduce the
both static and dynamic testing. Code language choice ability of malicious workloads from escaping the
considers security issues such as type safety and process sandbox
vulnerable functions. An example of the recommended 13. Use true random number generators for
controls includes the objective to prevent Mobile Edge cryptographic operations to minimise the ability
Compute (MEC) applications from attacking the MEC of applications to predict and or influence
platform / virtualization / hardware layer, recognising cryptographic operations by MEC
that applications may contain malicious code and/or
abuse their privileges. Note: MEC should be viewed The availability of a current Software Bill of Materials
like a public cloud with similar adversaries and attack (SBOM) is a key measure in building an effective
vectors. This objective is met through a series of response to software vulnerabilities and CVEs,
controls including: implementing bug fixes and code enhancements.
1. Block local application deployment except for A strong SBOM provides detailed knowledge of the
emergency cases composition of code including modules that may
have been re-used so that it is easier, for example,
2. Block installation and execution of unsigned
to understand whether a given CVE applies to
applications
the versions of code in-use. There is emerging
3. Scan workload images/packages continuously for documentation on this approach, notably from
malicious components and/or misconfigurations the National Telecommunications and Information
and/or known vulnerabilities Administration (NTIA) who have recently published
4. Workloads should execute with least privilege access a report21 on the minimum elements for an SBOM
5. Isolate workloads, by using multi-layered isolation covering data fields, automation support and practices
between workloads and MEC platform to prevent & processes.
workloads escaping the process sandboxes
A GSMA report22 has identified a range of developing
6. Isolate workload resources, specifically compute,
controls and described them within the contexts of
memory, storage and network
systems, component and infrastructure. Combining
7. Separate MEC control and management these systems and component level considerations
networks from workload networks, and utilise can build a framework for considering the design and
confidentiality, integrity and replay protection operation of open networks.
mechanisms to prevent bypass / isolation break-
out and spoofing/ injection into MEC platform
internal functional domains
8. Prevent direct pass-through, and malicious
workloads that may bypass MEC policies
9. Utilise dedicated resource allocation for local
MEC services
10. Deploy workload protection tools at the host to
identify and prevent abnormal activities by workloads
11. Prevent workloads and/or services from
performing memory/process/kernel dumps

21
https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
22
https://www.gsma.com/futurenetworks/resources/open-networking-the-security-of-open-source-software-deployment/

10
Malware

2021 evidenced a range of notable malicious software • Flixonline30 is a malicious app that masqueraded
(malware) attacks including ransomware. as a Netflix viewer spread via WhatsApp using the
auto-reply feature by responding to all incoming
The Malware Security Threat messages to steal credentials
Malware attacks have been noted covering a range • Matryosh31 is a distributed denial of service botnet
of targets including devices, device applications and that re-uses Mirai to target Android device users via
infrastructure. The following is a view of some mobile a diagnostic and debugging interface
malware attacks seen during 2021: • Qualcomm Mobile Station Modem32 exploits a
• CDRThief is a malware threat that targets specific
23
software vulnerability in Qualcomm chips to infect
Linux platformed Voice over IP softswitch systems Android devices to provide hackers with access to
with an aim to access Call Data Records (CDR) user conversations and messages
• GriftHorse24 is a Trojan hidden in malicious apps that
targeted Android devices and subscribed unwitting In addition to the list above, there has been a significant
users to premium rated services increase in reported ransomware attacks. A recent
report33 identified the biggest ransomware attacks in
• SharkBot25 is an Android banking trojan that allowed
2021. These included reported ransomware attacks
fraudsters to steal sensitive banking credentials
on ExaGrid (a backup storage vendor), an attack
and information
on Taiwan-based PC manufacturer Acer and the
• PhoneSpy26 is an advanced remote access trojan Colonial Pipeline attack34, leading to gasoline shortages
designed to conduct surveillance of Android users across the Eastern United States. Flubot (see later
and send data to a command and control server case study) was particularly prevalent in the mobile
• Android.Cynos.7.origin27 is one version of the Cynos industry. It was reported35 that the operators of the
software modules embedded in Android apps to ransomware REvil launched a ransomware attack on the
collect user information and to display advertisements telecommunications company MasMovil. TT Network,
• AbstractEmu28 is Android device rooting malware the joint mast operation of Telia Denmark and Telenor
that was hidden in malicious apps to allow attackers Denmark, was reportedly36 hit by a ransomware attack.
assume control over infected devices This range of examples show that no business sector is
• TangleBot29 is advanced SMS malware that uses immune to the malware threat.
COVID-19 lures to expose users to risks of data
exfiltration, device control and account theft

23
https://malware-guide.com/blog/new-cdrthief-malware-targeting-linux-voip-softswitches-to-record-call-metadata
24
https://www.theregister.com/2021/09/29/grifthorse_trojan_android/
25
https://thehackernews.com/2021/11/sharkbot-new-android-trojan-stealing.html
26
https://www.zdnet.com/article/a-stalkers-wishlist-phonespy-malware-destroys-android-privacy/
27
https://www.theregister.com/2021/11/25/huaweis_appgallery_games_targeting_children/
28
https://www.theregister.com/2021/11/01/in_brief_security/
29
https://www.zdnet.com/article/this-new-android-malware-gets-full-control-of-your-phone-to-steal-passwords-and-info/
30
https://www.technadu.com/new-android-malware-spreading-via-whatsapp-auto-replies/262967/
31
https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html
32
https://gridinsoft.com/blogs/qualcomm-mobile-station-modem-vulnerability/
33
https://www.techtarget.com/searchsecurity/feature/The-biggest-ransomware-attacks-this-year
34
https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
35
https://cyberthreatintelligence.com/news/spanish-telecom-giant-masmovil-hit-by-revil-ransomware-attack/
36
https://commsrisk.com/ransomware-attack-on-danish-telco/

11
The UK telecom regulator, OFCOM reported results The exploit makes use of commands to report a user’s
of a scams survey37 that highlighted significant location or device identity to the attacker’s device,
‘smishing’ ongoing with seven in 10 people (71%) without a user’s action or knowledge. The exploit
saying they have received a suspicious text. Smishing could also be used for fraud (sending SMS/making
is a combination of phishing and SMS where the aim is calls), or other actions such as opening a specific
to try to trick users with messages that appear to be site on the device’s web browser. The attack only
legitimate alerts from banks. succeeds if the SMS message reaches the target device.
Network operators can filter SMS messages based on
‘SIMjacker’38 is a security vulnerability affecting some characteristics including message origin and message
SIM/UICCs that contain a legacy software program header information.
called the S@T browser. It is intended to allow services
to be run, based on SIM Toolkit commands.

CASE STUDY: Flubot 3. The application is downloaded and installed.

Evidence of the Flubot banking malware was first (With user unwittingly ‘approving’ application
brought to the attention of the GSMA T-ISAC 39 requests for privileges).
community by a member operator in March 2021, 4. The malware gains access to the victim’s
where Indicators of Compromise (IoCs) consisting contact list and sends the same malicious
of malicious URLs and domains were shared on the SMS to those contacts.
threat intelligence platform.
Predictably, as new Flubot variants were discovered,
Flubot is a blended attack combining smishing new tactics were identified and discussed in the
and voicemail lures with banking malware injects. T-ISAC chat forum. Voicemail lures, fake Flubot
It indiscriminately targets mobile users, with the security alerts and WhatsApp ‘credit card phishing’
greatest impact on Android devices that have via age verification emerged as examples of new
enabled side-loading of apps, but iPhones are methods to entice mobile users.
not entirely immune. Although Europe has been
The impact of Flubot on mobile network operators
the focus of this highly infectious malware, the
and their customers can vary and be felt in different
campaign moved to Australia in August 2021 and
ways, including the following:
a T-ISAC member confirmed the infection had
spread to New Zealand in late September 2021. By 1. Personal disruption and emotional harm to victims
late November 2021 several European members – most victims being older and/or vulnerable
continued to witness new variants of the campaign, 2. Deterioration of confidence in SMS as a channel
with new activity identified by operators in Finland. for business and customers
The main objective of the Flubot malware, once 3. Financial harm – initially to customers, and then to
downloaded and installed on victim devices following the operator as they issue refunds for fraud losses
smishing enabled social engineering, is to obtain 4. Wider reputational impact for the operator as
accessibility privileges/full access to the device. The customers perceive that they have failed to
malware then detects banking and cryptocurrency protect them
applications on the device and superimposes fake 5. Consumption of resources in Operator customer
overlay windows when the applications are opened to relationship management and fraud teams.
capture credentials and credit card details that are sent
to a botnet command and control server. Flubot is also GSMA’s T-ISAC service allowed members to discuss
able to intercept messages and application notifications. Flubot related issues in real time which benefitted the
network operator response. Valuable information has
The infection method follows typical malware
been shared since its creation including new threat
infection patterns:
actor tactics, movement of Flubot to other regions, best
1. The victim receives a malicious SMS with a URL link. practice and mitigation, message bodies for feedproxy
2. The victim opens the URL link that downloads a URLs, signposts to Flubot presentations, webinars and
malicious application. open-source publications and T-ISAC Member reports.

37
https://www.ofcom.org.uk/news-centre/2021/45-million-people-targeted-by-scams
38
https://simjacker.com/
39
https://www.gsma.com/security/t-isac/

12
The Malware Response In addition to the aforementioned recommendations,
The GSMA has produced extensive coverage of defence the following resources are helpful:
mechanisms and the recommendations include: • The GSMA Operator Guide to Mobile Malware
• Device level: Bundle optional anti-virus software (SG.19 – a member document).
with devices to prevent infection and propagation of • UK NCSC Guidance: Mitigating malware and
mobile malware. Encourage device manufacturers ransomware attacks40
to protect end-users against malicious code by • CISA Advisory aimed at stopping ransomware41, 42
collaborating with security solution vendors to
• The Ransomware Guide43 includes advice such as:
develop and install anti–virus software
– M
 aintaining offline, encrypted backups of data
• Deploy malware detection and blocking solutions
and to regularly test your backups
within the network using anti-virus or content
filtering solutions – C
 reate, maintain and exercise a basic cyber
incident response plan
• Deploy technical solutions to detect and block
inbound SMS spam to the network – C
 onduct regular vulnerability scanning to identify
and address vulnerabilities
• Operators should ensure that when procuring devices
from manufacturers they specify the default state of – R
 egularly patch and update software and OSs to
the device to be one that is correctly configured to the latest available versions
provide the best protection from malware – E
 nsure devices are properly configured and that
• Exchange information between operators, vendors security features are enabled
and software security firms on new malware threats. • NIST have released a draft ransomware risk
This helps operators to perform risk assessments management profile: The Cybersecurity Framework
and put alerting mechanisms in place to provide Profile for Ransomware Risk Management, Draft
users with information on new mobile malware. NISTIR 837444
• Educate customers on mobile malware threats and
remedies directly and through dealers and retailers.
Advice to customers includes checking the detail of
the text for any details that don’t seem right, avoid
clicking on suspect links and reporting suspicious
texts to their network operator
• Build a “Security Conscious Customer Base”
by helping customers take responsibility for
protecting themselves
• Implement a fraud management system or signalling
monitoring rules to detect unusual behaviour
• Prevent the use of exploits by educating customers
about the consequences of jailbreaking or rooting
mobile devices

40
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
41
https://www.cisa.gov/stopransomware
42
https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware
43
https://www.cisa.gov/stopransomware/ransomware-guide
44
https://csrc.nist.gov/publications/detail/nistir/8374/draft

13
Cloud & Virtualisation
Security
The Cloud & Virtualisation Security Threat Although virtualised networks bring a range of
With the implementation of 5G, we are seeing opportunities and benefits, including network
a migration to cloud computing. As a result of slicing, network scalability and greater flexibility
this, security considerations that were once the of vendor choice, they also introduce a range of
responsibility of the network vendor, may become potential security threats. For example, unauthorised
that of the operator. Since the software is now able cross-communication between components such
to run on a range of non-proprietary platforms, as containers, hardware-based threats, hypervisor
operators need to ensure that whichever combination threats and attacks on APIs. For virtual machines
of hardware and software they use it must be secure. (VMs), the hypervisor is important software that
This includes ensuring that the software used is up to allows one host computer to support multiple guest
date, is running on original and authentic hardware and VMs by virtually sharing its hardware resources, such
has been unaltered. To ensure this integrity, a chain of as memory and processing.
trust, anchored by a secured root is required to ensure
that every component is working as intended as All cloud workloads have the potential to be
illustrated in Figure 3. compromised by a single compromise of the
virtualisation layer. Virtualised workloads which have
different trust levels may be consolidated onto a single
physical host without sufficient separation.

Figure 3: A Layered Chain of Trust

Software Software Software

Container Container Container

vTPM

Virtualisation Layer
Attestation

Operating System
Secure Boot

Hardware TPM

14
Beyond the network itself, we also need to consider how The transition of operator network environments to
the management of the network is secured, and how the cloud creates significant changes to the security
a root of trust is established within the network. The operations and management of these networks, as
management plane is one of several external systems well as to the type and capabilities of security controls.
which can access the network, and is responsible for Assets are no longer placed at a fixed location (physical
managing the different layers of the cloud infrastructure box) with planned capacity and long life cycles. Instead
and applying any updates to these layers. the solution stack relationship changes dynamically, and
with it, the network traffic of the physical and virtual
Figure 4 shows ways in which external systems may switches. This increases the complexity of monitoring
access various aspects of the cloud infrastructure. Any the compute, storage and network properties of each
entity which can access the management plane also component as they are no longer statically bound.
has the opportunity to disrupt it. Furthermore, the lifespan of such entities gets shorter
to serve a workload for a few minutes after which it
Infrastructure security is important as it underpins is decommissioned. In case of compromise there is a
Mobile Edge Compute, core networks, OpenRAN and need to track not only the alignments of virtual/physical
corporate cloud services. assets, but also the relationship between assets as well
as the historic allocations of these assets as they moved
within the platform.

Figure 4: Visualisation of External Interaction with the Cloud Network

External Access
Software Software Software
User Interaction
Software Updates

Container Container Container

Container Management
Virtualisation Layer Software Updates

Software Updates
Operating System Configuration Changes

Firmware Updates
Hardware TPM
Other Hardware

15
As the industry moves from the traditional approach Figure 5 illustrates the relationship between each of
of dedicated hardware to a cloud-orientated the models, with lower levels giving the operator more
approach, the number of options for infrastructure responsibility and control and the higher levels offering
grows. Typically, modern infrastructure options the potential to outsource some security controls.
can be classified into one of four groups: Software As discussed in a later section, these supply chain
as a Service (SaaS); Infrastructure as a Service arrangements provide their own set of attack threats.
(IaaS); Platform as a Service (PaaS); and on-site
infrastructure. These form a sliding scale of options Not shown in the diagram, is Network-as-a-Service
ranging from the entire product being hosted in the (NaaS), where the network operator customers consume
cloud, through to every element being owned and network services hosted by cloud providers. NaaS can
managed by the operator. provide a range of network functions including virtual
private networks, appliances and load balancers.

Figure 5: Visualisation of the Relationship Between Infrastructure Models. Each Layer Possesses all of the
Responsibilities of the Layers Above

Less More
Provider manages
applications and data SaaS

Provider manages runtime,

Provider Manages
PaaS
middleware and O/S Control

Provider manages virtualization,

IaaS
servers, storage and networking

Consumer is responsible
On-Site
for everything
More Less

16
The Cloud & Virtualisation Security Response These controls act to build a bottom-up security
The virtualised network opens up many new possibilities approach including physical, geographic, architectural,
in terms of dynamic scaling and redistribution of hardware, software, data, storage, networking
resources on demand. Ideally, this should be automated and management & orchestration controls. The
to the highest possible degree and allow the various bottom-up approach is important, as it acts to
network functions to grow and shrink capacity preserve the integrity of the solution through the
dynamically to adapt according to network load and establishment of a root of trust chain. This can ensure
requirements. This means that the deployment of new the correct workload code is running through the
network elements can be managed with minimal human correct virtualisation platform through operating
interaction and that unused, or end of life resources, system security functions to any underlying trust
may be retired automatically. The Network Function arrangements and the underlying hardware.
Virtualisation (NFV) deployment model will free up
human resources for other tasks and also provide an The GSMA recommends a number of network
energy efficient network infrastructure that may limit operation controls, including virtualisation controls, to
stress on equipment and increase the lifespan of the be applied to the MEC component with the objective
underlying hardware. to protect the MEC platform from executing code on
compromised virtualisation infrastructure (i.e., IaaS)
Theoretically, any network element or function may and hardware. Recommended actions include:
be virtualised. HLRs (Home Location Registers) or • Verify hardware and virtualisation layer integrity
MMEs (Mobility Management Entities) are examples of during boot
complex network functions that could be delivered as a • Verify all underlying layer loaded modules against
single, virtual, consolidated appliance. GSMA’s Network a good baseline (measured boot), alert and block
Function Virtualisation Threats Analysis45 (FS.33) loading of unauthorised modules
provides a comprehensive overview of the threats
• Alert/block unsigned module installation and/or
related to NFV and the underlying infrastructure and
deployment to prevent secure boot bypass
platforms hosting the NFV. Importantly, it also includes
extensive guidance on appropriate risk controls. • Install host-based detection probes at HostOS and
virtualisation layers with rootkit detection capabilities
with secure remote monitoring to identify and
mitigate dynamic attacks (malware/ rootkits)
• Periodically re-initialise the MEC from the hardware
layer to minimise the impact of non-persistent
attacks (in-memory) and restore the system to a
good known state, by a secure measured boot, and
evaluate the system only during boot phase

45
https://www.gsma.com/security/resources/fs-33-network-function-virtualisation-nfv-threats-analysis/

17
There is close working between the Linux Foundation’s The Center for Internet Security (CIS)50 has useful
project Anuket46 & the GSMA’s Open Infrastructure benchmarks for a range of platform approaches
Task Force (OITF)47. The resulting GSMA document including Google Cloud, Oracle Cloud, Microsoft Azure,
NG.126 Cloud Infrastructure Reference Model48 Kubernetes, Docker, Amazon Web Services, Red Hat
specifies a virtualisation technology agnostic (Virtual Linux, VM Ware and Ubuntu Linux. These benchmarks
Machine (VM)-based and container-based) cloud can be used to validate that cloud infrastructure is
infrastructure abstraction and acts as a “catalogue” of configured as securely as possible. There are open
the exposed infrastructure capabilities, resources and source51 and commercial52 tools that can check
interfaces required by the workloads. Additionally, a environments against the recommendations defined in
Cloud Infrastructure Reference Architecture focused the CIS benchmark to identify insecure configurations.
on OpenStack as the Virtualised Infrastructure
Manager (VIM) was chosen based on the criteria
laid out in the Reference Model. OpenStack has the
advantage of being a mature and widely accepted
open-source technology. It has a strong ecosystem
of vendors that supports it, and is widely deployed
by the global operator community for both internal
infrastructure and external facing products and
services. This means that operators have existing staff
with the right skill sets to support a Network Function
Virtualisation Infrastructure (NFVI49) deployment
into development, test and production. The security
requirements include content on:
• Cloud Infrastructure and VIM security
• System Hardening
• Platform Access
• Confidentiality and Integrity
• Workload Security
• Image Security
• Security Life Cycle Management
• Monitoring and Security Audit

46
https://anuket.io/
47
Accessible via GSMA OIFT Working Group
48
https://www.gsma.com/newsroom/wp-content/uploads//NG.126-v1.0-2.pdf
49
https://www.etsi.org/deliver/etsi_gs/NFV-INF/001_099/001/01.01.01_60/gs_NFV-INF001v010101p.pdf.
50
https://www.cisecurity.org/resources/page/4/?type=benchmark
51
Eg https://github.com/docker/docker-bench-security
52
See https://www.cisecurity.org/cis-controls-supporters/

18
Operational Security

The Operational Security Threat A range of wider corporate partner connections are
To administer and manage an operational mobile commonly in place to provide access to wider IT and
network there is a wide set of telecommunications cloud services and can also provide access to the
and information technology (IT) systems (shown operator network to enable managed service providers.
below in Figure 6) to be maintained. In addition to Any connection between the operator’s corporate
telecoms infrastructure, there are a range of corporate systems and the telecommunications network can
information technology systems that enable broader provide a pivot attack point into the mobile network
business operations as well as software for supporting from the corporate infrastructure and security solutions
customers which include billing systems and enterprise will need to include both perimeter and internal controls.
client dashboard and control systems. The internal It is essential to protect both the operational mobile
corporate systems include intranet, email, instant network and associated IT systems as they are both
messaging and staff systems such as accounting and a threat vector for potential cyber-attack. This topic
sales systems. These systems are accessed by a range explores the need for ongoing security controls for both
of employee devices and used by the full range of staff operational and supporting IT systems.
functions including the system administrators for the
operational network. A wide range of attack vectors can be identified when
considering the complete system of both operator
network(s) and the associated corporate IT systems
(see Figure 6).

Figure 6: Potential Security Attack Vectors

Infrastructure Exposed Routers

Perimeter Controls

Operator Network
Device / IoT Internal Controls
Inter-connect

Network
RAN CORE Partners
Cloud
Customer
and Other
device
Interconnect/
Phishing
Roaming
Corporate Systems

Non-
Telco Corporate
Internet Telco Internet
Systems Partners
Systems
Employee
device Malicious Insider Internal Controls MSP Attack

Perimeter Controls

Controls protect operational networks and Customer Data Privacy

Connection to support operation Possible attack vector

19
There are a number of attack vectors and each • Infrastructure Attack: Physical attack of network
requires strong security controls and processes to infrastructure, such as at cell sites, retail outlets or
minimise the threat and impact of any attack: data centres.
• Phishing Attacks: Well-engineered and styled • Device Attack: With increasing access bandwidth
phishing attacks continue to have a finite success rate and a range of malware attacks on devices,
in penetrating perimeter defences. Consequently, protection must be considered against device-
anti-phishing campaigns and well architected internal based network attacks (e.g. signalling ‘storms’,
network controls making lateral movement more Denial of Service attacks, IoT compromises) back
difficult are important requirements. into the network. Additionally, devices themselves
• Malicious Insider / Compromised Access: In a may be subject to individual attack.
similar manner, internal controls, least privilege and • Supply Chain (not shown on diagram): Where
strong authentication make it harder for a malicious equipment/software experiences interference
insider to gain traction. in the process of supply/deployment. This also
• Managed Service Provider Attack: Remote includes where third party service providers may
compromise of a managed service provider offers a also be exploited to then compromise the network
potential attack vector. Strong vetting, least privilege operator54 or to access sensitive account systems.
and trust domains form part of any defence. • Social Engineering (not shown on the diagram):
• Inter-connect / Roaming / Internet Signalling Where attempts are made to obtain account access
and DDoS Attack: The exploitation of control by changing account details, accessing security
signalling as an attack vector that is comprehensively credentials or to influence key individuals (e.g.
documented and attracts significant attention in ‘whaling’ attacks on senior executives).
GSMA member security documents53 and is explored
in more detail in a later section of this report.
• Exposed Routers and Servers: A network operator
will have a significant estate of vendor equipment,
router and server infrastructure. It is important to
have a strong grasp of the inventory of equipment
in order that it can be managed and protected.
This is particularly true for any internet-exposed
management interfaces. Legacy equipment can
use protocols with limited in-built security. These
exposed interfaces must be configured to use secure
protocols or have additional security controls such as
VPN protection to reduce the likelihood of success
for an adversary attack. This applies to virtualised
deployments in the same sense, in that bare metal
compute, storage and network devices must be
protected. Additionally, unused management
protocols, internet services and accounts can be
disabled to limit attack opportunities.

53
GSMA Documents FS.11 and FS.19
54
https://www.solarwinds.com/securityadvisory

20
 An adversary may use the operational communications
Fraudulent SIM Swap Overview network as an attack vector to industry verticals.
SIM swap is a legitimate service offered by mobile Previously, there has been less evidence of the
operators to allow customers to replace their adversary attacking the actual communications
existing SIM with a new one. A SIM swap may be infrastructure, possibly because the communications
required in the following circumstances: infrastructure itself is required to be operational to
• A SIM is lost, stolen or damaged; enable an onward attack. This is not always the case
though and there are increasing signs57 of more direct
• A different sized SIM is needed for a new device;
attacks on operator networks. This can be viewed as
• The customer is porting out their number to a a further example of a supply chain attack, with the
different network. network operator being in the supply chain to the
target. These attacks may be aimed at extracting
While SIM swap is a necessary and useful service,
customer or billing data, committing fraud, testing
it has provided an opportunity for fraudsters to
network defences or in extreme circumstances, such as
obtain and utilise the replacement SIM card to
a war, launching direct attacks to disable and disrupt
gain access to users’ financial and wider service
national communications. Any successful attack
accounts. Two-factor authentication is commonly
against an operational communications network that
used by financial institutions to provide safe and
disrupts availability, confidentiality and/or integrity can
secure services to customers. One of the most
be seen to have a force multiplier effect that impacts
common two-factor authentication methods
communications and the supported industry vertical(s).
sends one-time passwords to the account holder’s
mobile number. Social engineering of call centre The Verizon 2021 Data Breach Investigations Report58
staff is an ongoing issue for all organisations that investigates data breaches across a range of industries.
are required to service users directly. This form One, of many, noteworthy changes this year is the
of “account takeover” is seen in many different increase in rank of desktop sharing as the cause of
sectors. With the prevalence of publicly available a data breach, particularly given the link between
information available on the internet for most corporate systems and the operational network can be
people, building up a legitimate picture of a user an attack vector, especially on administrator accounts.
can be done with relative ease or with some initial
social engineering against the user themselves. If Additionally, the Trend Micro Report59 summarises
a fraudulent SIM swap is completed successfully, the characteristics and threats and contains
it enables the fraudster55 to receive authentication recommendations to improve the security posture
messages, calls and one-time passwords from of enterprises’ and telecommunications companies’
the financial service provider of the victim. This IT infrastructure.
allows those carrying out fraudulent activity to
send money from the banking and mobile money
accounts of the victim. Network operators and end
customers can also lose the use of their devices
and incur wider additional costs outside of the
direct cost of this fraud.

GSMA’s Fraud Manual FF.21 (available to GSMA

members only) contains advice on countering
fraudulent SIM swapping. Advice includes having
an equal level of customer validation for new and
existing customers, education and training of sales/
dealer staff and to consider implementing GSMA
Mobile Connect56 in order to authenticate users.

55
https://www.gsma.com/aboutus/workinggroups/what-is-sim-swap
56
https://www.gsma.com/identity/mobile-connect
57
https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/
58
https://www.verizon.com/business/resources/reports/dbir/
59
https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/islands-of-telecom-risks-in-it

21
The Operational Security Response A wide range of controls, such as those for Network
The GSMA recommends core network management Operations control, include:
controls. Some examples of the security objectives are • Actively manage (inventory, track and correct)
shown below: all hardware devices on the network
• There should be processes for the secure • Establish, implement and actively manage (track,
provisioning and decommissioning of users to report on, correct) the security configuration of
ensure only legitimately subscribing customers have network equipment
access to services • Virtualisation/containerisation controls should
• Protect core network traffic after it is handed over be enforced
from the radio path to protect against unauthorised • Manage the ongoing operational use of ports,
interception and alteration of user traffic and protocols, and services on networked devices in
sensitive signalling information order to minimise windows of vulnerability available
• Prevent eavesdropping, the unauthorised deletion to attackers
and modification of voicemail content, settings • Continuously acquire, assess and act on new
and greetings and call break out to generate information in order to identify vulnerabilities,
fraudulent traffic remediate, and minimize the window of opportunity
• Use customer anonymisation techniques to protect for attackers
identifiers that can be used to identify and track • Monitor and analyse core, radio and enterprise
individual customers network traffic for potential internal or external attacks
• Prevent unsolicited messaging traffic reaching • Ensure certificate issuing authorities are
unsuspecting customers and causing potential harm managed correctly
to the network, including denial of service attacks
• Ensure database services and systems are protected
against network elements
from unauthorised access and misuse
• Control which devices can access the network to
• Implement cloud security principles for all private,
protect against the connection of counterfeit, stolen
public and hybrid cloud (infrastructure, platform or
and substandard devices and possible network
software) computing based provisioning
impacts they may have
• Utilise centralised patching software, orchestrate
• The processes and tools used to ensure secure
and control patch deployments, and define patch
access to critical assets (e.g. core infrastructure)
deployment policies
Further controls covering Network Infrastructure are • Implement misconfiguration detection and prevention
shown below :
Controls for Security Operations include:
• Security Network Function Virtualisation
Infrastructure (NFVI) controls • Collect, manage, and analyse audit logs of events

• Virtualisation controls • Control the installation, spread, and execution of

malicious code at multiple points in the network
• Network controls
• Utilise open source information (OSINT) and other
• Storage controls
contextual information to increase awareness of the
• Management controls threat landscape
• Container controls • Protect the organisation’s information, as well as
its reputation, by developing and implementing an
incident response infrastructure
• Perform security assessment of live systems to test
the overall strength of an organisation’s defence
(the technology, the processes and the people) by
simulating the objectives and actions of an attacker
(‘red teaming’)
• Implement a holistic protective monitoring
approach that ensures there is a proactive and
consistent approach to detection of abnormal
behaviour on networks and systems

22
IoT Security

IoT offers the vision of a hyper-connected world where IoT services are expected to rapidly grow across
billions of connected objects and people seamlessly all industry sectors. According to the latest GSMA
interconnect, exchanging data and making insightful Intelligence IoT market update60, the number of IoT
decisions using artificial intelligence for the benefit of device connections across all IoT markets is forecast to
both individuals and society as a whole. IoT services exceed 37 billion devices by 2030. This figure including
are already widely adopted today across automotive, all types of IoT devices, from all industry sectors and
consumer electronics, enterprise, healthcare, industrial, covering both consumer and enterprise applications.
smart buildings, smart cities, smart homes and utilities.
The IoT Security Challenge
To support this market, IoT-centric connectivity is IoT services present security challenges not only due
becoming mainstream, including low-power-wide-area to the scale and breadth of the services, but also due
technologies such as LTE-M (Long Term Evolution for to the critical functionality that many IoT services
Machines) and NB-IoT (Narrowband IoT), and local provide, with many services performing safety critical
area wireless technologies such as Bluetooth LE, functions and leveraging private information. These
Zigbee and Z-wave. 5G networks (which encompass factors, amongst others, make IoT services high value
LTE-M and NB-IoT) which support massive machine targets for potential attackers who wish to exploit
type communication (mMTC), ultra-reliable low- these services, for example, to launch DDoS attacks,
latency communications (URLLC) and ultra-high extract sensitive private data, or disrupt critical
device densities which will further accelerate IoT services. Additionally, there exists a relatively large
market growth. legacy estate of older IoT devices with limited in-built
security protections.

60
https://data.gsmaintelligence.com/research/research/research-2021/iot-market-update-assessing-disruption-and-opportunities-forecasting-connections-to-2030

23
Recent IoT Attack Examples • Security vulnerabilities within Routers remain a
Many wide scale attacks on, or leveraging, IoT services major issue, examples of which include:
have been documented over recent years, with – A
 Cisco RV34X Router weakness allowing
incidents such as the Mirai botnet DDoS attack and authentication bypass and system command
various Automotive-centric vulnerabilities making injection, both in the web management interface67
headlines in the mainstream media. Over the past – A
 NETGEAR DGN-2200v1 series router critical
12 months, new attacks have been reported which security issue68 related to accessing the router
serve to demonstrate that the IoT security landscape management pages using authentication bypass
is evolving and the fundamental security weaknesses and deriving saved router credentials via a
present within many IoT devices and services still cryptographic side-channel.
persist. A few example issues reported in the past 12
– T
 P-Link 4G routers being used as a botnet to
months serve to emphasise these points:
abuse SMS services69
• Security challenges in underlying IoT technology
enablers persist. For example: The IoT Security Response
– T
 he ‘BrakTooth’ vulnerability61, which was found Security guidelines, such as the IoT security
to affect the Bluetooth software stacks within guidelines70 issued by the GSMA, have been available
several major System on Chip providers, is a good for several years and provide a comprehensive guide
example of a vulnerability within a generic IoT to IoT service providers. Since their initial publication
technology enabler that could leave billions of IoT the guidelines, together with other security resources,
devices vulnerable to malicious code injection. are now referenced within international standards
Full technical details on the vulnerabilities can be including ETSI EN 303 64571 and NISTIR 8259. In
found on the dedicated BrakTooth website62. turn, these standards are now being leveraged by
regulators, and IoT services providers’ will soon
• Security issues in consumer IoT devices are still be required by law to implement key security
widespread, examples of which include: requirements in many markets. At the time of writing,
– U
 nauthenticated remote code execution (RCE) IoT security legislation and regulations are being
vulnerability in Hikvision IP camera63 progressed and implemented in multiple countries and
– C
 ritical RCE vulnerability related to the web regions across the world including Australia, China,
service of the Annke N48PBB network Europe, India, Singapore, USA and the UK.
video recorder64
Operating a vulnerability disclosure scheme is a core
– U
 nauthenticated RCE on Motorola Halo+
component of the IoT security lifecycle and is seen
baby monitor65
as one of the top product security recommendations
– A
 conference call speaker STEM Audio Table for IoT companies in the ecosystem (GSMA operates
vulnerability unauthenticated RCE, which could the CVD scheme for industry-wide issues with mobile
allow eavesdropping on conversations66 network connected technologies and services).

61
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/braktooth-bluetooth-vulnerabilities-crash-all-the-devices/
62
https://asset-group.github.io/disclosures/braktooth/
63
https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
64
https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/
65
https://randywestergren.com/unauthenticated-remote-code-execution-in-motorola-baby-monitors/
66
https://blog.grimm-co.com/2021/06/the-walls-have-ears.html
67
https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
68
https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-
system-compromise/
69
https://therecord.media/botnet-abuses-tp-link-routers-for-years-in-sms-messaging-as-a-service-scheme/
70
https://www.gsma.com/iot/iot-security/iot-security-guidelines/
71
https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf

24
GSMA IoT Security Guidelines and Assessment • The NIST cybersecurity program for IoT75 now
Developed with the support of the mobile industry, provides a range of guidance including information
the GSMA IoT Security Guidelines72 and associated IoT for IoT device manufacturers76 through the NISTIR
Security Assessment73 scheme provide guidance and 8259 series of reports covering consumer IoT
expertise to help IoT developers and service providers cybersecurity77. This guidance extends their risk
address the challenge of securing IoT services. management process to include IoT and defines IoT
security requirements (NIST SP 800-213) using an
These resources provide recommendations for the accompanying catalogue (NIST SP 800-213A).78
secure design, development and deployment of IoT
services and provide a mechanism to evaluate security GSMA IoT SAFE
measures. They address all parts of a typical IoT Leveraging hardware secure elements, or ‘Roots of
service covering server side components and APIs, Trust’, to establish end-to-end, chip-to-cloud security
communication networks and device endpoints. for IoT products and services is a key recommendation
of the GSMA IoT Security Guidelines.
The GSMA security guidelines are being leveraged by
international standards and over the past 12 month Developed by the mobile industry, IoT SAFE79 (IoT SIM
these standards have further evolved: Applet For Secure End-2-End Communication) enables IoT
• ETSI has released a companion test specification service providers to leverage the SIM (including eSIM and
to the ETSI EN 303 645 consumer IoT security iSIM) as a robust, scalable and standardised hardware Root
standard. This test specification, ETSI TS 103 70174 of Trust to protect end-to-end data communications.
will allow IoT service providers to assess their
compliance to the standard using self-assessment The solution is described in a recent GSMA
or a test lab. whitepaper80, which describes how the SIM can be
leveraged as a root-of-trust to secure IoT device-to-
cloud communications using TLS/DTLS, the world’s
most popular application layer security protocols.

Figure 7: GSMA IoT Security Guidelines and Assessment Scheme

72
https://www.gsma.com/iot/iot-security/iot-security-guidelines/
73
https://www.gsma.com/iot/iot-security-assessment/
74
https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf
75
https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program
76
https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program/nistir-8259-series
77
https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program/consumer-iot-cybersecurity
78
https://csrc.nist.gov/news/2021/updates-to-iot-cybersecurity-guidance-and-catalog
79
https://www.gsma.com/iot/iot-safe/
80
https://www.gsma.com/iot/wp-content/uploads/2021/06/IoT-SAFE-Whitepaper-2021.pdf

25
Signalling & Interconnect
Security
Both 2G and 3G networks are still deployed globally, The practice of Global Title (GT) leasing has
and whilst we are seeing some closure of 2G and 3G significantly increased the attack surface as granting
networks, it is unlikely that these will entirely disappear access to interconnect protocols and systems has
from the ecosystem for years to come. The likelihood extended to third parties, sometimes without the
is that some 2G networks will outlive 3G due to the required due diligence, protection or monitoring
reliance of legacy, long-lived devices and services on mechanisms being in place by operators81.
2G networks, e.g. the widespread deployment of early
IoT devices such as smart meters. The interconnect threat is exacerbated by the
deployment of insecure and misconfigured network
The Signalling & Interconnect Threat equipment, which can inadvertently result in the
Traditionally, the interconnect traffic between operators generation of suspicious traffic. It is recognised that
relied on the underlying signalling protocols for effective it is impossible to entirely prevent unauthorised or
and secure operation and the inherent trust model illicit SS7 network access so detection is essential if
that assumed only those entities that need signalling such activity is to be identified and isolated. This is
access have it. For many years, this assumption has in order to reduce the risk of user location tracking,
not been correct and operators need to recognise that eavesdropping, traffic diversion, spam, privacy
attacks can come through their signalling network and breaches, fraud and denial of service. The lack of
their connections to other operators and partners. home routing deployment and inadequate monitoring
The industry has developed a range of enablers to and filtering capabilities being deployed by mobile
respond to this threat through the use of signalling networks increases the risk. GSMA has produced
firewalls, message filtering and blocking capabilities, comprehensive security recommendations covering
security cooperation, intelligence and best practice all of these aspects.
sharing. However, signalling and interconnect remains
an important and ongoing threat area that requires
monitoring because when signalling is compromised,
the integrity, confidentiality and availability of many
services is at risk. Future threats in this space may
emerge as current mitigations prove insufficient and
new attacks become viable. Also, emerging radio
access supply arrangements may present opportunities
for signalling attacks over access connections.
Consequently, signalling security is still viewed as a
priority area in which operators must focus significant
attention for enhanced security and fraud avoidance.

81
See Mobileum blog post at https://blog.mobileum.com/the-battle-to-protect-our-subscribers-against-cyber-weapons

26
 The Signalling & Interconnect Response
INDUSTRY INSIGHT: Experience has shown that legacy 2G/3G networks
An interconnect security survey performed make use of insecure, unmanaged signalling protocols
by umlaut82 at the request of several mobile and are subject to fraud and security threats on
operators provides some industry insight on a regular basis. Many of these attacks have been
the state of signalling and interconnect security. mitigated with security enhancements introduced
Each gap in completeness offers a security threat in 4G and 5G. However, due to the backward
that can be mitigated with suitable controls. compatibility of 4G with 3G/2G they will not disappear
The list covers over 40 mobile operators mostly until the legacy technology or backward compatibility
based in Europe and with some level of security ceases to exist.
awareness. Of the operators surveyed:
• 69% of networks have protection measures The industry understands the challenges posed by
against International Mobile Subscriber signalling protocols, for example SS7, GTP, Border
Identity (IMSI) leakage (by Category 1 or Gateway Protocol (BGP) and Diameter; however,
bypass SMS Home Routing) fundamental resolutions to address these challenges
would require significant changes to the core protocols
• 88% of the mobile operators have SMS Home
and are not straightforward to apply to complex and
Routing deployed
globally deployed large scale networks. To address
• 81% of the mobile operators have GSMA FS.11 these challenges GSMA has developed a wide range
SS7 Category 2 protection in blocking mode of security controls and mitigations that act, when
• 5% of the mobile operators have GSMA FS.11 implemented by network operators, to significantly
SS7 Category 3 protection in blocking mode moderate these security challenges.
• 79% of the mobile operators have GSMA
FS.19 Diameter Category 2 protection in
blocking mode
• 3% of the mobile operators have GSMA
FS.19 Diameter Category 3 protection in
blocking mode
• 18% of the mobile operators have GTP-C
inspection protection in blocking mode
• 59% of the mobile operators block, or do not
support, GPRS Tunnel Protocol (GTP)-C v0
(deprecated) on the network.

82
http://umlaut.com/en/contact-us

27
5G is an opportunity for the mobile industry A significant difference between NSA and SA is that
to enhance network and service security. New NSA provides control signalling of 5G to the 4G base
authentication capabilities, enhanced subscriber station, whereas in SA the 5G base station is directly
identity protection and additional security mechanisms connected to the 5G core network and the control
will result in significant security improvements over signalling does not depend on the 4G network.
legacy generations. In practice, the deployment
of 5G is being achieved through two approaches, Significant progress on interconnect security has
namely Non-Standalone (NSA) or Standalone (SA) been made with the advent of 5G for which new
architecture. NSA allows operators to utilise their inter-network controls such as the Security Edge
existing communications and mobile Evolved Packet Protection Proxy (SEPP) have been defined. The
Core (EPC), instead of deploying a new core for 5G. SEPP is a new network function that protects the
5G SA is a completely new core architecture defined home network edge, acting as the security gateway
by 3GPP that introduces significant changes such as a on interconnections between the home network and
Service-Based Architecture (SBA) and the functional visited networks.
separation of network functions.

Figure 8: Security Edge Protection Proxy

VPLMN IPX HPLMN

SEPP SEPP

28
Supply Chain Security

The Supply Chain Threat The opportunity for indirect attacks through supplier
ENISA has published a supply chain threat landscape
83 or third-party tooling and services cannot be
mapping and studying the supply chain attacks that were underestimated, as was shown when SolarWinds
discovered from January 2020 to early July 2021. ENISA was compromised and unwittingly delivered infected
found 62% of attacks took advantage of customer trust binaries to many of its customers85. This attack led
in the supplier; this is analogous to the historic SS7 to multiple services, that used SolarWinds platform
signalling trust flaws, where operators trusted each and tools, becoming vulnerable to exploits through a
other implicitly which subsequently opened an attack supply chain attack. This type of attack emphasises
route for malicious third parties. One of the new attacks not only the need for vigilance in relation to which
in the ENISA report was the Kaseya compromise84. 3rd party tools to use and awareness of the security
posture of the 3rd party, but also good control,
Countries and national regulators are responding to the management and separation of assets. The force
need for increased resiliency in network infrastructure multiplier effect for an attacker across all the target’s
by placing requirements on all operators to increase customers makes using a compromised vendor an
the levels of security and controls. This can include attractive proposition.
new supply chain arrangements to manage national
operator use of specific suppliers. A recurring feature is Virtualised infrastructure and more open interfaces
to have an active management of an operator’s supply deliver significant benefits but also make the 5G supply
chain. Consideration will be necessary as to the required chain more complex and multi-party compared to 4G
‘depth’ of management and ‘deep understanding’ of and earlier. For example, virtualised infrastructure for
supply chains to ensure they are resilient and diverse. a private cloud solution may comprise commodity
compute hardware, virtualisation code to enable virtual
Vendor selection is also important when considering machines and containers and potentially a number
managed service providers and also providers of non- of code vendors delivering services. This enables
network product (or underpinning) related services significant flexibility, scalability and potential cost
such as cloud providers. The business reliance placed savings but also is a more complicated supply chain.
on these aspects is crucial as part of the security and
operational models are increasingly delivered by third
parties and this introduces new threat vectors.

83
https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
84
In July 2021, attackers exploited a zero day vulnerability in Kaseya’s own systems (CVE-2021-3011632) that enabled the attackers to remotely execute
commands on the VSA appliances of Kaseya’s customers. Kaseya can send out remote updates to all VSA servers and, on Friday July 2, 2021, an update was
distributed to Kaseya clients’ VSA that executed code from the attackers. This malicious code in turn deployed ransomware
85
SolarWinds Compromised https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2

29
 The Supply Chain Response
CASE STUDY: Syniverse The GSMA Supply Chain Toolbox87 outlines a number
According to an Ars Technica report Syniverse (a
86
of services and guidelines to help operators and their
company that routes hundreds of billions of text suppliers to better understand security and to access
messages every year for hundreds of carriers), best practice. This includes different accreditation
revealed to government regulators that a hacker and assurance schemes and guidelines pertaining
had gained unauthorized access to its databases to specific areas of mobile technology. The different
for five years. A filing with the Securities and resources in the toolbox are organised by relevance
Exchange Commission said that “in May 2021, to the different stages of procurement by an operator
Syniverse became aware of unauthorized and to different stages of a vendor’s solution lifecycle.
access to its operational and information
technology systems by an unknown individual or Good security practices can mitigate the risk of
organization. Promptly upon Syniverse’s detection third-party unauthorised access through utilising
of the unauthorized access, Syniverse launched an secure networks, strong authentication, least
internal investigation, notified law enforcement, privilege practices alongside strong Privileged Access
commenced remedial actions and engaged the Management (PAM). Approaches such as zero trust,
services of specialized legal counsel and other toots of trust and trust domain separation are also
incident response professionals.” important security concepts in this space.

Syniverse said that its “investigation revealed An example of a recommended control is to implement
that the unauthorized access began in May 2016” effective supply-chain and procurement controls to
and “that the individual or organization ensure the services they operate and provide comply
gained unauthorized access to databases within with legal requirements and manage supply-chain
its network on several occasions, and that threats. This objective is met through a series of controls:
login information allowing access to or from • Operators should set security hygiene expectations
its Electronic Data Transfer (‘EDT’) environment e.g. patching and supply chain risk management
was compromised for approximately 235 of key practices
its customers.”
• Ownership and risk governance of the service
and infrastructure
• Industry standard assessment programmes to
assure vendor products (e.g. NESAS, SAS)
• Mapping planned physical interconnects
• Life-time support arrangements
• Manufacturers of critical components should
provide a statement of compliance or local
regulation compliance (e.g. using ISO 28000)
• Manufacturers of 5G network equipment should
provide a statement of compliance or local
regulation compliance. (e.g. using ISO 27001/1)
• Manufacturers of 5G network equipment should
provide, for example, an ISO 22301 statement of
compliance or local regulation compliance
• 5G service providers should comply with, for example,
Service and Organization Controls 2 (Statement on
Standards for Attestation Engagements 1888) for all
services provided under the scope of the service
agreement or local regulation compliance

86
https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/
87
https://www.gsma.com/security/supply-chain-toolbox/
88
https://us.aicpa.org/research/standards/auditattest/ssae.html

30
A second recommendation is that operators should GSMA encourages suppliers to participate in
implement 3rd party access and outsourcing controls to industry-recognised security assurance schemes,
ensure the risks of information sharing and outsourcing such as GSMA’s SAS89 and NESAS90 and encourages
are effectively managed. This objective is met through operators to source equipment from suppliers that
a series of controls: participate in these schemes.
• Processes to identify, prioritise and assess suppliers
and partners of critical systems, components and The role of a Software Bill of Materials (SBOM)
services using a supply chain risk assessment process is relevant in the context of managing code
vulnerabilities but is also critically important when
• Procedures to identify and manage the risks
used to deliver supply chain controls in terms of
associated with third-party access to the
being explicitly aware of what code is being utilised,
organization’s systems and data
the versions in use, where it is sourced from and its
• Security controls on internal staff and resources, lifecycle state91.
including privileged access, are mirrored with
prioritised suppliers There is national intervention92, 93 that can result in the
• Contract and due diligence checks for prioritised limitation or banning of certain vendors.
suppliers based on a pre-procurement risk assessment
Finally, in several regions such as Asia, Europe and the
• Breach notification should be provided by suppliers
US, there is a push not only for a more diverse supply
in a timely manner
chain, but also for the greater use of national suppliers.
This may include government incentives to use certain
domestic suppliers. Of course, these vendors must also
be able to meet the wider security provisions already
mentioned in this report and comply with relevant
procurement and industry competition regulations.

89
https://www.gsma.com/security/security-accreditation-scheme/
90
https://www.gsma.com/security/network-equipment-security-assurance-scheme/
91
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
92
https://docs.fcc.gov/public/attachments/FCC-19-121A1.pdf
93
https://www.bbc.co.uk/news/technology-53403793

31
Final Thoughts

This document provides an overview of the security Over the coming year the GSMA will continue
landscape for the mobile industry in the context of to support its members on security matters.
current threats facing Mobile Network Operators and To get in touch, or get more closely involved,
the wider ecosystem. In many cases, these threats please email [email protected].
and recommendations are not new, and effective
responses are available to be implemented.

This report recommends:

• implementing the existing advice identified
and referenced in this report
• maintaining active contributions to build
and augment GSMA security guidance
• seeking out opportunities to get involved
in industry security initiatives

GSMA Fraud & Security

Services
Building stronger resilience
within the mobile ecosystem

GSMA Coordinated GSMA Device Check™ GSMA Device Registry

Vulnerability Disclosure (CVD) Protect against the risk of handling Deter device crime, by exchanging
A way for researchers to disclose stolen or fraudulent devices, with this device status information across the
vulnerabilities that could impact instant look-up service global ecosystem
the mobile ecosystem

GSMA eUICC Security Assurance GSMA Network Equipment Security GSMA Security Accreditation
(eSA) Assurance Scheme (NESAS) Scheme (SAS)
Instil confidence that eUICC chipsets Security assessment of vendors’ product Security audit and certification of
have reached rigorous industry development/lifecycle processes and SIM/eSIM production and subscription
security standards infrastructure products management sites

GSMA member only GSMA Fraud and Security Working GSMA Telecommunications-
Group (FASG) Information Sharing and Analysis
Share threat intelligence in a Center (T-ISAC)
confidential forum and collaborate Share timely and actionable
to maintain the security of operators’ information on cyber security threats
and their customers’ assets in a trusted environment
gsma.com

32
 Find out more at
www.gsma.com

GSMA HEAD OFFICE

Floor 2
The Walbrook Building
25 Walbrook
London EC4N 8AF
United Kingdom
Tel: +44 (0)20 7356 0600
Fax: +44 (0)20 7356 0601