I’ve been following the work of Dmitry Kurbatov, SecurityGen CTO, for some time. SecurityGen is a global cybersecurity firm focused on telecom security. Providing automation and offensive testing for mobile operators.

SecurityGen, understand that while network owners must and will use telecom technology to deliver value, they must be able to do so without compromising network security and trust. SecurityGen ‘s deep and broad telecom cybersecurity expertise, robust product portfolio, and global advisory experience helps organisations deliver secure and resilient networks, with a focus on 5G network.

As you’ll hear in this session chinks in the IT, OT (Operations Technology), and telecom armor enable access to bad actors, and from that move sideways into other planes.

We’re joined by Bohdan and Arron for what turns out to be a deep session, with lots of agreements and spirited discussions.

We started with the SKT breach, which began as a VPN breach (IT), and then through sideways expansion ended up at the HSS access (Home Subscriber Server), the crown jewels of a mobile network.

The initial access was likely remote IT access for contractors. We’ve covered this in our Industry 4.0 sessions as a known weakness, see Matthew Smith’s session from last year, Slash the Industry 4 0 Gordian Knot

As the hackers roam around SKT’s IT infrastructure they discover the HSS and start downloading it. At that point Security Operations discovers the hack, stop it, and report it to the regulator as required in their license.

Aaron asks an excellent question on whether PII (Personal Identifiable Information) should be encrypted at rest. Its common in IT. However, in telecom networks, a legacy assumption is that within the network its secure. Rather than the modern assumption of zero trust. Which is especially true when break-ins come from non telecoms planes, e.g. IT.

Supply chain security raises the issue of outsourcing issues. The cyber security industry is growing fast, but many of the small companies providing managed security services are perhaps less secure than a large established business. We see this in messaging, as telcos rely on messaging partners, which bring in spam, AIT (Artificially Inflated Traffic), and other problems.

Back to the SKT hack, SIM replacement will take time, Bohdan shared some of the data on replacement times. Dmitry asked a question on why not use eSIM given the number of eSIM devices in South Korea. Which we left open as eSIM would appear well suited for such a situation than replacing all the physical SIMs.

We moved on to discussion about SS7, Diameter, and GTP (GPRS Tunnelling Protocol). SS7 is the legacy telecom protocol that will not die. It was created in the ’70s, and deployed in the late ’80s / early ’90s. It assumes a secure deployment environment and all endpoints are secure. It really should have been replaced by now.

Diameter is the “replacement” for SS7, the signalling protocol for 4G/LTE and VoLTE. Diameter was designed to address security weaknesses in SS7, offering features like support for encryption protocols. Both protocols are currently required for call setup, routing, and other signaling functions, but Diameter is seen as a more secure alternative. Providing its implementation is complete.

And finally, IPX (Internetwork Packet Exchange) is a network-layer protocol and infrastructure that facilitates the interconnection of mobile networks, often used for data roaming and carrying GTP tunnels. GTP ensures connections work across the complex mess of networks. And that complex mess if the vector used by hackers.

We finish the geek fest with LIMINAL PANDA (China) that has targeted telecom networks since 2020. This deserves a session on its own, but Crowdstrike provides a nice summary.

Dmitry explains how LIMINAL PANDA used GTP to move sideways between compromised networks. In SecurityGen’s penetration testing, GTP is one of the less protected telecom protocols. Where even SSH management ports are exposed from other networks.

The situation is slowly getting better, but it’s still problem. Aaron and Bohdan then discussed why are the mobile networks and devices are being targeted. Its because the devices are used for payments, identity, identity verification, etc. Its a gateway to many services available over the internet.

Dmitry shared the massive OTP (One Time Password) interception in Northern Africa during 2023/24 to create synthetic WhatsApp / Telegram accounts for botnets to ramp up your users, or make your posts/channels appear popular. Aaron highlighted how this could also be used for remote workers. Bohdan shared how these botnets can be used for denial of service so victims do not receive security alerts,

I moved the discussion onto 5G and the promised security upgrades. Dmitry highlighted the potential is there, but often the implementation is not. That is, it’s not 5G stand alone, rather its on the evolved packet core. For encryption only 20% of carriers have implemented. The rest remain clear text.

Another shift is the move to all IP in 5G enables all the hackers tools built for the web / internet to become addressable. Expanding the pools of hackers by, in my opinion, an order of magnitude.

To wrap up I asked Dmitry what recommendations he has for telcos to better protect their customers. Aaron pointed out all mobiles are now IP devices, so the question should be asked more generally.

Dmitry’s answer we already knew. Security needs to move left, part of design, not a bandaid after implementation. The CEO needs to care intensely, as losing customer data needs to cause them financial pain. A chief security officer (across people, processes, and technology) it’s not a digital security officer.

Aaron then broaden that discussion to within the domain of banking, as our discussion was relevant to their situation as well. Dmitry left on the one thing to do is be suspicious. Does that email look OK, is this sign off protecting my business to just getting the vendor paid.

People, Process, and Technology Giants at the gates to your network / enterprise. Be suspicious!